MAL-2026-5915

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd) The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships `auto-publish.sh`, which hard-codes a list of sibling names (`nottuff1..30`, `ishowfeet1..20`, `imillegal1..5`, `abuden*`, `ratelimitsucks*` — `nottuff23` is on the list) and republishes the same payload to each name by rewriting `package.json.name` and running `npm publish --silent`. The shipped content is not a Node library: `package.json.main` points at `sw.js`, a browser service worker that uses `importScripts`, `self.addEventListener('install'|'activate'|'fetch'|'message',...)` — APIs that do not exist in Node and would throw if `require()`'d. The bundled obfuscated `assets/*.js` files are a dormant Ultraviolet-style web-proxy frontend, plus an `index.html` titled "Riverbend Tutoring" that loads remote scripts from `cdn.21baseballacademy.com` and `googletagmanager.com` and opens `https://abdct.com/` on click. There are no npm lifecycle hooks (`scripts` contains only a no-op `test`); `npm install` and `require()` execute no code from this package. Installer-side risk on default install is effectively zero, but the package is registry-namespace abuse: bulk-published spam under squatted names, with heavily obfuscated browser payloads whose intent at the eventual deployment site is not verifiable from this tarball alone. Routing to human review for namespace-abuse / registry-spam disposition.