Which versions of nottuff4 are malicious?

The following npm versions of nottuff4 are flagged malicious: 1.7.7. Treat any of these as compromised.

How do I remediate nottuff4 if I installed it?

Remove nottuff4 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is nottuff4 part of a known attack campaign?

Yes — nottuff4 is associated with the IN-MAL-2026-006818 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect nottuff4 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking nottuff4 and packages like it before any post-install script runs.

Malicious package

nottuff4npm

Malicious code in nottuff4 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5917

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall nottuff4

What this malware does

Package ships a Scramjet-based web proxy (sw.js service worker + bare-mux + WASM rewriter under assets/) plus a static 'Riverbend Tutoring' index.html cover page. index.html lines 60-69 install click/keydown/touchstart listeners that call window.open("https://abdct.com/", "_blank", "noreferrer") on first user interaction. The package is one of ~85 throwaway sibling names auto-published via the bundled auto-publish.sh (imillegal*, ishowfeet*, nottuff*, abuden*, ratelimitsucks*); package.json carries placeholder metadata (name 'package', empty author, no homepage/repo). The asset JavaScript is heavily obfuscated (hex-mangled identifiers throughout assets/*.js), consistent with the upstream Scramjet bundles. main is set to sw.js, which begins with importScripts('./8cfc2/hgshm.js') and uses service-worker globals (self.addEventListener for install/activate/fetch/message); require('nottuff4') from Node throws on the first line, so there is no install-time or import-time code path that executes against a developer who runs npm install nottuff4. The harm — namespace pollution, ToS-evading proxying, and the monetized popup redirect — only materializes when someone unpacks the tarball and serves it as a website to browser visitors. Routing for human review as registry-policy abuse rather than as a supply-chain attack on installers.

Malicious versions

1 flagged

1.7.7

Indicators of compromise (SHA-256)

c4f105cfb08cd05b609d2fb92793d7f8cb61d42add7d39e2491e6ba791f550e1

Frequently asked questions

No. nottuff4 on npm has been identified as a malicious package (version 1.7.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006818

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection