MAL-2026-6128

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66) Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry (importScripts) that throws when loaded under Node — the package is not a usable npm library. The shipped contents are a static web-proxy application (bare-mux v2.1.9 plus a service-worker proxy in sw.js), with index.html cover-storying the bundle as 'Riverbend Tutoring' while a Roblox shortcut icon and code that opens https://abdct.com/ on user interaction are included. All 12 asset JS files are heavily obfuscated (hex-prefixed identifiers like _0xaaed02 throughout assets/*.js). The tarball additionally ships auto-publish.sh, a shell script that iterates the names 'ratelimitsucks', 'ratelimitsucks1',..., copies the tree to a temp dir, rewrites package.json.name, and runs `npm publish --silent` in parallel — i.e., the author's own mass-republishing pipeline accidentally included in the release. The package has no lifecycle hooks, so installing it does not directly execute code on the installer; the harm is registry pollution and consumer deception (developers who `npm install` this expecting a library get a non-functional service-worker bundle masquerading as one of many spam-named republishes).