MAL-2026-5937

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22) The tarball ships `auto-publish.sh`, which iterates a hardcoded list of ~90 unrelated package names (`imillegal1..N`, `ishowfeet*`, `nottuff*`, `abuden*`, `ratelimitsucks*`) and runs `npm publish --silent` for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in `assets/*.js`. `package.json` has no `preinstall`/`install`/`postinstall` hooks and no `bin`; the declared `main` is a browser service worker (`sw.js`) that calls `importScripts`/`self` and throws immediately under Node, so `npm install abuden21` and `require('abuden21')` perform no code execution against the installer. The bundled `index.html` (and a duplicate inside `logo.svg`) registers click/keydown/touchstart handlers that open `https://abdct.com/` as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.