MAL-2026-5938

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (979f38f25a707a09a4469b3dd0f24c603e2d9a195eaaa9b2a9ea3d84076dc9d0) speed4@1.1.7 is part of a self-cloning namespace-squatting family. The tarball contains `auto-publish.sh` which sets `BASE="speed"`, `TOTAL=5`, copies the package contents into `tmp_speedN` directories, rewrites `package.json.name` to `speed1`..`speed5`, and runs `npm publish --silent` for each variant. Nested leftover directories `tmp_speed3/tmp_speed2/tmp_speed1/` shipped inside the tarball confirm the script has been executed at least three times and that all five `speedN` packages distribute identical content. Package metadata is consistent with a squat: generic short name, `"description": "package"`, empty `author` field. The served content is a deceptive HTML page (`index.html`) that advertises a 'Riverbend Tutoring' brand while registering first-gesture click/keydown/touchstart handlers that call `window.open('https://abdct.com/', '_blank', 'noreferrer')` to redirect visitors to an unrelated third-party domain. The tarball additionally bundles a dozen heavily obfuscated JavaScript assets under `assets/` (hex-identifier renamed, single-line minified) duplicated across the nested clone directories. Installing or pulling this package into a build hands the consumer an attacker-controlled deceptive payload bundled under multiple confusable short names on the registry.