nottuff15npm

nottuff15 is one entry in a coordinated npm namespace-spam campaign. The tarball ships auto-publish.sh, a bash script that copies the package contents into ~95 differently-named tarballs (imillegal*, ishowfeet*, nottuff1..30, abuden*, ratelimitsucks*) and force-publishes each via npm publish; the package's own name 'nottuff15' appears in that list, confirming this release is generator output. Package metadata is placeholder (description: "package", empty author). The actual payload is a bundled SPA + ServiceWorker web-proxy (Scramjet) plus a 5.4MB WASM-curl bundle in j3ve9/ls3ez.mjs, distributed via npm but intended to be hosted as a static site — npm is being abused as a static-asset CDN. The package's main entry (sw.js) calls importScripts() on its first line, which is a browser ServiceWorker global undefined in Node, so require('nottuff15') throws a ReferenceError immediately — there is no functioning library here. The bundled index.html registers click/keydown/touchstart listeners that redirect users to https://abdct.com/ on first interaction (rate-limited via localStorage), and loads a remote script from https://cdn.21baseballacademy.com/script/jrqK2HPsliMjRW5Q.js — browser-side affiliate-redirect infrastructure under a tutoring-themed cover page. Twelve of the bundled JS assets are heavily obfuscated. No preinstall/install/postinstall/prepare hooks are declared, so there is no install-time auto-execution against the installer.