Which versions of nottuff25 are malicious?

The following npm versions of nottuff25 are flagged malicious: 1.7.7. Treat any of these as compromised.

How do I remediate nottuff25 if I installed it?

Remove nottuff25 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is nottuff25 part of a known attack campaign?

Yes — nottuff25 is associated with the IN-MAL-2026-006819 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect nottuff25 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking nottuff25 and packages like it before any post-install script runs.

Malicious package

nottuff25npm

Malicious code in nottuff25 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5916

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall nottuff25

What this malware does

The tarball is not a Node library. package.json declares main: sw.js with description "package" and an empty author; sw.js is a browser ServiceWorker (importScripts('./8cfc2/hgshm.js'), self.skipWaiting(), self.clients, fetch interception) that has no meaning when consumed via require('nottuff25') in Node. The shipped static site bundles the Mercury Workshop Scramjet web proxy plus bare-mux, branded as "Riverbend Tutoring" while pointing og:url at 21baseballacademy.com — a misrepresentation of what the npm name advertises. The tarball also ships auto-publish.sh, a bash script with a hardcoded list of 95+ sibling package names (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) that rewrites package.json and runs npm publish --silent in a loop — the attacker's own mass-publication pipeline shipped inside the artifact, with the current package name nottuff25 appearing as a literal entry in that list. index.html additionally registers click/keydown/touchstart listeners that open https://abdct.com/ as a popunder on first interaction (browser-side adware, not installer-side). No install/require-time exfil, RCE, or credential theft is present, but this is a coordinated namespace-pollution campaign and the package misrepresents itself to npm consumers.

Malicious versions

1 flagged

1.7.7

Indicators of compromise (SHA-256)

238a4f56f3433bf34de372e9a26264a33e33c6bde8592ddc73594d33ab7427f0

Frequently asked questions

No. nottuff25 on npm has been identified as a malicious package (version 1.7.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006819

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection