MAL-2026-5918

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (014548171545d3357baafaf1ec9c1755860bacdcf94b42161d8e32b0c94ab3c8) This package is one of ~95 names in a coordinated spam-publication family (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) republishing the same Scramjet web-proxy payload as a static site. The tarball includes auto-publish.sh which iterates the name list and runs `npm publish` for each, documenting the registry-pollution intent. The package's declared main entry `sw.js` is a browser ServiceWorker (`importScripts('./8cfc2/hgshm.js')`, `self.addEventListener('install'|'fetch'|...)`) — it cannot execute under Node, so `npm install` and `require()` produce no installer-side code execution and there are no lifecycle hooks. Heavily obfuscated bundles in assets/*.js are loaded only when the assets are served to a browser via an npm CDN (unpkg/jsdelivr), which appears to be the actual distribution channel — letting users bypass web filters by reaching the proxy through registry-CDN hostnames. The cover page (index.html, titled 'Riverbend Tutoring') ships a click/keydown/touchstart popunder opening https://abdct.com/, indicating ad-monetization motive. No installer credential theft, no exfiltration, no install-time RCE.