VDB
EN

MAL-2026-10291

Malicious code in backupsitetuff10 (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8062677ad6aa536c8e4582df43db6251e78e0cd2a0e4c36348a997bc28b06d5b) The tarball ships `auto-publish.sh`, a script that republishes the same payload under ~100 distinct npm names (`ishowfeet1`-`ishowfeet20`, `nottuff1`-`nottuff30`, `abuden*`, `imillegal*`, `ratelimitsucks*`, etc/) by rewriting `package.json.name` and running `npm publish --silent` in a loop — namespace-spam infrastructure shipped inside the package itself. The package's declared `main` is `sw.js`, a browser Service Worker (`importScripts('./8cfc2/hgshm.js')`, `self.addEventListener('install'|'activate'|'fetch'|'message')`) that throws immediately if loaded from Node. The shipped assets are a heavily obfuscated Ultraviolet/bare-mux web-proxy frontend with an `index.html` themed as "Riverbend Tutoring" that hides a popunder redirect to `https://abdct.com/` on click/keydown/touchstart. `package.json` declares no `preinstall`/`install`/`postinstall`/`prepare` hooks, and `require('ishowfeet9')` from Node fails before any code runs, so a Node installer experiences no auto-execution. The harm is registry abuse (mass-publication of a misleading name family) and a browser-side proxy/popunder served to whoever later loads these static assets — not installer-side compromise. Routing to human review for namespace-abuse adjudication.

## Source: ghsa-malware (05a63c4b514a36754503e2ff8c725acdcf63a300877992d28e1d76d515327526) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / backupsitetuff10
최초 영향 버전: 0

No fixed version published yet for backupsitetuff10 (npm). Pin to a known-safe version or switch to an alternative.

참고