MAL-2026-6136

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0) ratelimitsucks6 is one variant in a numerically-iterated family (ratelimitsucks1, ratelimitsucks2,...) generated by auto-publish.sh shipped inside the tarball. That script is an infinite loop that rewrites package.json's `name` field to ${BASE_NAME}${COUNT} and runs `npm publish --silent` for each variant — attacker auto-publication infrastructure accidentally included with the release. Package metadata is deceptive: description is just "package", author is empty, and the package name has no relation to the shipped contents. The tarball ships a full Scramjet web-proxy runtime (sw.js + 8cfc2/hgshm.js, 180 KB), twelve heavily-obfuscated JS bundles under assets/ (hex-mangled identifiers throughout), and an index.html cloaked as "Riverbend Tutoring" that loads a third-party script from cdn.21baseballacademy.com and opens https://abdct.com/ in a new window on the first user interaction. No npm lifecycle hooks are declared and `main: sw.js` calls importScripts() which is undefined in Node, so the package does not auto-execute on `npm install` or `require()`. The harm is registry pollution and namespace abuse: the publisher is flooding npm with iterated lure names hosting an obfuscated browser-side proxy/redirector payload.