VDB
KO

MAL-2026-10712

Malicious code in @hibachi-xyz/common (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (29d10da07b92571b7e043b1d5a8735143f7abac8e7759ae96b9f815052f01bf5) On require(), index.js enumerates process.env and filters keys matching credential-shaped patterns (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_), collects os.hostname() and os.userInfo().username, and runs execSync("whoami && id && cat /proc/1/cgroup...") for container/CI fingerprinting. The combined JSON payload is POSTed to https://jorijo.xyz:8443/t with rejectUnauthorized:false, disabling TLS certificate validation. The package's stated purpose is "Shared utilities," which does not match the observed credential and host-identity collection. Any process that imports this package leaks environment secrets and host identity to the hardcoded endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @hibachi-xyz/common

No fixed version published yet for @hibachi-xyz/common (npm). Pin to a known-safe version or switch to an alternative.

References