Which versions of abuden218 are malicious?

The following npm versions of abuden218 are flagged malicious: 1.7.7. Treat any of these as compromised.

How do I remediate abuden218 if I installed it?

Remove abuden218 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is abuden218 part of a known attack campaign?

Yes — abuden218 is associated with the IN-MAL-2026-007007 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect abuden218 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking abuden218 and packages like it before any post-install script runs.

Malicious package

abuden218npm

Malicious code in abuden218 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6128

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall abuden218

What this malware does

Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry (importScripts) that throws when loaded under Node — the package is not a usable npm library. The shipped contents are a static web-proxy application (bare-mux v2.1.9 plus a service-worker proxy in sw.js), with index.html cover-storying the bundle as 'Riverbend Tutoring' while a Roblox shortcut icon and code that opens https://abdct.com/ on user interaction are included. All 12 asset JS files are heavily obfuscated (hex-prefixed identifiers like _0xaaed02 throughout assets/*.js). The tarball additionally ships auto-publish.sh, a shell script that iterates the names 'ratelimitsucks', 'ratelimitsucks1',..., copies the tree to a temp dir, rewrites package.json.name, and runs npm publish --silent in parallel — i.e., the author's own mass-republishing pipeline accidentally included in the release. The package has no lifecycle hooks, so installing it does not directly execute code on the installer; the harm is registry pollution and consumer deception (developers who npm install this expecting a library get a non-functional service-worker bundle masquerading as one of many spam-named republishes).

Malicious versions

1 flagged

1.7.7

Indicators of compromise (SHA-256)

5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66

Frequently asked questions

No. abuden218 on npm has been identified as a malicious package (version 1.7.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007007

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection