MAL-2026-5917

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c4f105cfb08cd05b609d2fb92793d7f8cb61d42add7d39e2491e6ba791f550e1) Package ships a Scramjet-based web proxy (sw.js service worker + bare-mux + WASM rewriter under assets/) plus a static 'Riverbend Tutoring' index.html cover page. index.html lines 60-69 install click/keydown/touchstart listeners that call window.open("https://abdct.com/", "_blank", "noreferrer") on first user interaction. The package is one of ~85 throwaway sibling names auto-published via the bundled auto-publish.sh (imillegal*, ishowfeet*, nottuff*, abuden*, ratelimitsucks*); package.json carries placeholder metadata (name 'package', empty author, no homepage/repo). The asset JavaScript is heavily obfuscated (hex-mangled identifiers throughout assets/*.js), consistent with the upstream Scramjet bundles. main is set to sw.js, which begins with importScripts('./8cfc2/hgshm.js') and uses service-worker globals (self.addEventListener for install/activate/fetch/message); require('nottuff4') from Node throws on the first line, so there is no install-time or import-time code path that executes against a developer who runs `npm install nottuff4`. The harm — namespace pollution, ToS-evading proxying, and the monetized popup redirect — only materializes when someone unpacks the tarball and serves it as a website to browser visitors. Routing for human review as registry-policy abuse rather than as a supply-chain attack on installers.