MAL-2026-6135

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f) Package is not a library. `main` points at `sw.js`, a browser Service Worker that uses `importScripts`, `self.addEventListener('fetch'|'install'|'activate')`, and `self.clients.claim()` — all undefined in Node, so `require('ratelimitsucks')` throws on the first line. There are no install lifecycle hooks (`scripts` only declares `test`), so `npm install` of this package does not auto-execute any code on the installer's machine. The shipped contents are a school-filter-bypass web proxy (12 heavily obfuscated `assets/*.js` files with hex-mangled identifiers, a Service Worker that rewrites HTML responses and intercepts navigation), an `index.html` cover page ("Riverbend Tutoring") that loads a third-party script from `cdn.21baseballacademy.com` and opens a popunder to `abdct.com`, and an `auto-publish.sh` script that loops i=1..10, rewrites `package.json.name` to `ratelimitsucks`, `ratelimitsucks1`,..., `ratelimitsucks9`, and runs `npm publish` for each — the author's own mass-publication pipeline shipped inside the tarball. Direct harm to a developer who installs this package is effectively nil (no hooks, no require-safe entry point). The harms are (a) abuse of the npm registry as a CDN for an unrelated proxy site, (b) demonstrated typosquat-name-squatting intent across 10 sibling names, and (c) a popunder ad redirect served from the cover page. Routing to human review for unpublish/registry-abuse handling rather than blocking as an installer-side supply-chain attack.