ratelimitsucksnpm

Package is not a library. main points at sw.js, a browser Service Worker that uses importScripts, self.addEventListener('fetch'|'install'|'activate'), and self.clients.claim() — all undefined in Node, so require('ratelimitsucks') throws on the first line. There are no install lifecycle hooks (scripts only declares test), so npm install of this package does not auto-execute any code on the installer's machine. The shipped contents are a school-filter-bypass web proxy (12 heavily obfuscated assets/*.js files with hex-mangled identifiers, a Service Worker that rewrites HTML responses and intercepts navigation), an index.html cover page ("Riverbend Tutoring") that loads a third-party script from cdn.21baseballacademy.com and opens a popunder to abdct.com, and an auto-publish.sh script that loops i=1..10, rewrites package.json.name to ratelimitsucks, ratelimitsucks1,..., ratelimitsucks9, and runs npm publish for each — the author's own mass-publication pipeline shipped inside the tarball. Direct harm to a developer who installs this package is effectively nil (no hooks, no require-safe entry point). The harms are (a) abuse of the npm registry as a CDN for an unrelated proxy site, (b) demonstrated typosquat-name-squatting intent across 10 sibling names, and (c) a popunder ad redirect served from the cover page. Routing to human review for unpublish/registry-abuse handling rather than blocking as an installer-side supply-chain attack.