Which versions of nottuff7 are malicious?

The following npm versions of nottuff7 are flagged malicious: 1.7.7. Treat any of these as compromised.

How do I remediate nottuff7 if I installed it?

Remove nottuff7 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is nottuff7 part of a known attack campaign?

Yes — nottuff7 is associated with the IN-MAL-2026-006821 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect nottuff7 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking nottuff7 and packages like it before any post-install script runs.

Malicious package

nottuff7npm

Malicious code in nottuff7 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5918

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall nottuff7

What this malware does

This package is one of ~95 names in a coordinated spam-publication family (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) republishing the same Scramjet web-proxy payload as a static site. The tarball includes auto-publish.sh which iterates the name list and runs npm publish for each, documenting the registry-pollution intent. The package's declared main entry sw.js is a browser ServiceWorker (importScripts('./8cfc2/hgshm.js'), self.addEventListener('install'|'fetch'|...)) — it cannot execute under Node, so npm install and require() produce no installer-side code execution and there are no lifecycle hooks. Heavily obfuscated bundles in assets/*.js are loaded only when the assets are served to a browser via an npm CDN (unpkg/jsdelivr), which appears to be the actual distribution channel — letting users bypass web filters by reaching the proxy through registry-CDN hostnames. The cover page (index.html, titled 'Riverbend Tutoring') ships a click/keydown/touchstart popunder opening https://abdct.com/, indicating ad-monetization motive. No installer credential theft, no exfiltration, no install-time RCE.

Malicious versions

1 flagged

1.7.7

Indicators of compromise (SHA-256)

014548171545d3357baafaf1ec9c1755860bacdcf94b42161d8e32b0c94ab3c8

Frequently asked questions

No. nottuff7 on npm has been identified as a malicious package (version 1.7.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006821

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection