MAL-2026-5916

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (238a4f56f3433bf34de372e9a26264a33e33c6bde8592ddc73594d33ab7427f0) The tarball is not a Node library. `package.json` declares `main: sw.js` with description `"package"` and an empty author; `sw.js` is a browser ServiceWorker (`importScripts('./8cfc2/hgshm.js')`, `self.skipWaiting()`, `self.clients`, fetch interception) that has no meaning when consumed via `require('nottuff25')` in Node. The shipped static site bundles the Mercury Workshop Scramjet web proxy plus bare-mux, branded as "Riverbend Tutoring" while pointing `og:url` at `21baseballacademy.com` — a misrepresentation of what the npm name advertises. The tarball also ships `auto-publish.sh`, a bash script with a hardcoded list of 95+ sibling package names (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) that rewrites `package.json` and runs `npm publish --silent` in a loop — the attacker's own mass-publication pipeline shipped inside the artifact, with the current package name `nottuff25` appearing as a literal entry in that list. `index.html` additionally registers click/keydown/touchstart listeners that open `https://abdct.com/` as a popunder on first interaction (browser-side adware, not installer-side). No install/require-time exfil, RCE, or credential theft is present, but this is a coordinated namespace-pollution campaign and the package misrepresents itself to npm consumers.