abuden21npm

The tarball ships auto-publish.sh, which iterates a hardcoded list of ~90 unrelated package names (imillegal1..N, ishowfeet*, nottuff*, abuden*, ratelimitsucks*) and runs npm publish --silent for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in assets/*.js. package.json has no preinstall/install/postinstall hooks and no bin; the declared main is a browser service worker (sw.js) that calls importScripts/self and throws immediately under Node, so npm install abuden21 and require('abuden21') perform no code execution against the installer. The bundled index.html (and a duplicate inside logo.svg) registers click/keydown/touchstart handlers that open https://abdct.com/ as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.