MAL-2026-6129

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57) The tarball contains a static-site bundle (index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundle under 8cfc2/hgshm.js). The package's declared main entry is sw.js, which is a browser ServiceWorker (uses importScripts and self.addEventListener('install'|'activate'|'fetch'|'message')) and cannot run in Node — require()/import in Node throws on those globals. There are no preinstall/install/postinstall lifecycle hooks; only a `test` script is declared. The tarball also ships auto-publish.sh, a bash loop that copies the package contents into temp directories and republishes them under sequential names (ratelimitsucks, ratelimitsucks1,...) via `npm publish --silent`, using the author's own ambient credentials. This script is not referenced by any lifecycle hook or bin entry and does not execute on `npm install`. index.html also contains a browser-side popunder that opens https://abdct.com/ on the first user gesture, which only affects visitors to a deployed copy of the static site, not developers who install the package. The heavily obfuscated JS files under assets/ are part of the Scramjet web-proxy bundle. There is no Node-reachable code path that exfiltrates data, fetches remote payloads at install/import, or otherwise harms the installer's environment. The package is registry/CDN abuse and typosquat-style mass publishing rather than a supply-chain attack against installers.