VYPR

npm · Malicious package advisory

Malware

abuden21

MAL-2026-5937

Malicious code in abuden21 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22)
The tarball ships `auto-publish.sh`, which iterates a hardcoded list of ~90 unrelated package names (`imillegal1..N`, `ishowfeet*`, `nottuff*`, `abuden*`, `ratelimitsucks*`) and runs `npm publish --silent` for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in `assets/*.js`. `package.json` has no `preinstall`/`install`/`postinstall` hooks and no `bin`; the declared `main` is a browser service worker (`sw.js`) that calls `importScripts`/`self` and throws immediately under Node, so `npm install abuden21` and `require('abuden21')` perform no code execution against the installer. The bundled `index.html` (and a duplicate inside `logo.svg`) registers click/keydown/touchstart handlers that open `https://abdct.com/` as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.

## Source: ghsa-malware (467b755aecd2b9bed5b5771c6fd59024d00f1d5c5aff97e7d70f0aaab2d0319e)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (3)

  • 1.7.7
  • 2.0.0
  • 1.1.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.