MAL-2026-10732
Malicious code in hehehe (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (588dd776720f805d7d84a58c93ffcd21ed860e3fc21a48787d732eb6180b974d) Package is published as an 'enterprise Windows Diagnostic Utility' but is an anti-proctoring cheating tool that also steals the installer's browser session cookies. main.js invokes a bundled PowerShell routine that opens Chrome, Edge, and Brave 'Local State' files, decrypts the DPAPI-wrapped AES-256-GCM key, and reads each browser's Cookies SQLite database to extract cookies for.openai.com,.chatgpt.com, auth.openai.com, and auth0.openai.com; the decrypted cookies are then injected into the tool's own Electron session to hijack the installer's ChatGPT login. The bin launcher copies electron.exe to 'SearchFilterHost.exe' inside electron/dist to masquerade as a signed Windows Search subsystem process, spawns a detached background watchdog that respawns with random jitter when killed, and uses SetWindowDisplayAffinity WDA_EXCLUDEFROMCAPTURE plus a '--seb-child' Safe Exam Browser migration path to evade Testpad/AMCAT/SEB proctoring. Ships an undocumented 27MB Windows PE binary bin/uia_extract.exe that main.js executes via `python "${pyPath}" || "${exePath}"` with no hash or signature verification. SECTION_PROMPTS constants for AMCAT sections (GEN/DEB/APT/PRG) and a 'FINAL ANSWER:' extraction contract confirm the cheating-tool payload behind the diagnostic cover story.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for hehehe (npm). Pin to a known-safe version or switch to an alternative.