MAL-2026-6130

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90) The tarball is a static-site / web-proxy build (index.html, /assets/*.js bundles with obfuscated names, a.well-known/discord verification file, branding) rather than a Node.js library. package.json declares main: sw.js, but sw.js is a browser ServiceWorker that calls importScripts('./8cfc2/hgshm.js') — a global that does not exist in Node, so require()-ing this package throws before any code runs. There are no preinstall/install/postinstall/prepare lifecycle hooks, no Node-reachable network I/O, credential reads, or shell execution, so installing the package does not produce installer-side harm. The bundled service worker is an Ultraviolet-style web proxy that, when deployed in a browser, injects a script into proxied HTML responses to redirect window.open / anchor clicks / form submits via postMessage — hostile to users of a deployed proxy site, not to npm installers. The tarball also ships auto-publish.sh, a loop that copies the project to a temp dir, rewrites package.json.name through 10 sequential names (ratelimitsucks, ratelimitsucks1..ratelimitsucks9), and runs `npm publish --silent` in parallel — registry-namespace-spam tooling. The script is not wired to any lifecycle hook and does not run on install. Obfuscated bundles under assets/ are typical for a deployed proxy frontend and do not execute in Node. Routed to human review because the package is misusing npm as static hosting and documents intent to mass-publish duplicates under sequential names; this is registry abuse worth a maintainer/registry response, but not a supply-chain attack against installers.