abuden22npm

The tarball contains a static-site bundle (index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundle under 8cfc2/hgshm.js). The package's declared main entry is sw.js, which is a browser ServiceWorker (uses importScripts and self.addEventListener('install'|'activate'|'fetch'|'message')) and cannot run in Node — require()/import in Node throws on those globals. There are no preinstall/install/postinstall lifecycle hooks; only a test script is declared. The tarball also ships auto-publish.sh, a bash loop that copies the package contents into temp directories and republishes them under sequential names (ratelimitsucks, ratelimitsucks1,...) via npm publish --silent, using the author's own ambient credentials. This script is not referenced by any lifecycle hook or bin entry and does not execute on npm install. index.html also contains a browser-side popunder that opens https://abdct.com/ on the first user gesture, which only affects visitors to a deployed copy of the static site, not developers who install the package. The heavily obfuscated JS files under assets/ are part of the Scramjet web-proxy bundle. There is no Node-reachable code path that exfiltrates data, fetches remote payloads at install/import, or otherwise harms the installer's environment. The package is registry/CDN abuse and typosquat-style mass publishing rather than a supply-chain attack against installers.