VYPR

npm · Malicious package advisory

Malware

abuden22

MAL-2026-6129

Malicious code in abuden22 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57)
The tarball contains a static-site bundle (index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundle under 8cfc2/hgshm.js). The package's declared main entry is sw.js, which is a browser ServiceWorker (uses importScripts and self.addEventListener('install'|'activate'|'fetch'|'message')) and cannot run in Node — require()/import in Node throws on those globals. There are no preinstall/install/postinstall lifecycle hooks; only a `test` script is declared. The tarball also ships auto-publish.sh, a bash loop that copies the package contents into temp directories and republishes them under sequential names (ratelimitsucks, ratelimitsucks1,...) via `npm publish --silent`, using the author's own ambient credentials. This script is not referenced by any lifecycle hook or bin entry and does not execute on `npm install`. index.html also contains a browser-side popunder that opens https://abdct.com/ on the first user gesture, which only affects visitors to a deployed copy of the static site, not developers who install the package. The heavily obfuscated JS files under assets/ are part of the Scramjet web-proxy bundle. There is no Node-reachable code path that exfiltrates data, fetches remote payloads at install/import, or otherwise harms the installer's environment. The package is registry/CDN abuse and typosquat-style mass publishing rather than a supply-chain attack against installers.

## Source: ghsa-malware (a286e5d58b74a16a942d393217a24eff83438d762fafac5a479f4b5392a44ff5)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (3)

  • 1.7.7
  • 2.0.0
  • 1.1.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.