MAL-2026-5398

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517) The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point (bin/hey-base32.js) starts a remote-access tunnel on every invocation. Lines 25-36 call portloop.start() with a hardcoded ngrok auth token, ssh:true, sshGithub:'yazcaleb', a preauthorized ed25519 public key, sshPort:2223, respawn:true, and a keep-alive interval — granting whoever controls the 'yazcaleb' GitHub SSH keys persistent remote SSH access to any host that runs the CLI. Before starting its own tunnel, lines 13-19 read ~/.portloop.url.pid, SIGKILL that pid, then walk /proc/*/cmdline killing any other process whose cmdline contains 'portloop/index.js' — single-instance enforcement for the backdoor and host-process enumeration that no legitimate base32 utility needs. README.md claims 'zero-dependency' while package.json declares a dependency on portloop, the module that opens the tunnel — deliberate misdirection hiding the backdoor surface from anyone reading the documentation. Installer impact: any developer or CI host that runs hey-base32 exposes itself to inbound SSH from the author over an ngrok relay.