MAL-2026-5914

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ea629a411d1555cb4dbc80aa218539333aefce15e110ad0a5eaa16e4a58ab5f3) nottuff15 is one entry in a coordinated npm namespace-spam campaign. The tarball ships auto-publish.sh, a bash script that copies the package contents into ~95 differently-named tarballs (imillegal*, ishowfeet*, nottuff1..30, abuden*, ratelimitsucks*) and force-publishes each via `npm publish`; the package's own name 'nottuff15' appears in that list, confirming this release is generator output. Package metadata is placeholder (description: "package", empty author). The actual payload is a bundled SPA + ServiceWorker web-proxy (Scramjet) plus a 5.4MB WASM-curl bundle in j3ve9/ls3ez.mjs, distributed via npm but intended to be hosted as a static site — npm is being abused as a static-asset CDN. The package's main entry (sw.js) calls importScripts() on its first line, which is a browser ServiceWorker global undefined in Node, so `require('nottuff15')` throws a ReferenceError immediately — there is no functioning library here. The bundled index.html registers click/keydown/touchstart listeners that redirect users to https://abdct.com/ on first interaction (rate-limited via localStorage), and loads a remote script from https://cdn.21baseballacademy.com/script/jrqK2HPsliMjRW5Q.js — browser-side affiliate-redirect infrastructure under a tutoring-themed cover page. Twelve of the bundled JS assets are heavily obfuscated. No preinstall/install/postinstall/prepare hooks are declared, so there is no install-time auto-execution against the installer.