VDB
EN

MAL-2026-10716

Malicious code in @hibachi-xyz/ui (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (308aa7f8a3746a346bbed305975f68d110bcf6b98815b7bf9f579e37089fd78b) The package is published under the name @hibachi-xyz/ui with description 'UI components' but ships no UI code. Its index.js, executed on require, enumerates process.env and collects every variable whose name matches a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_), captures hostname and username, and invokes child_process.execSync to run 'whoami && id && cat /proc/1/cgroup' for container/host fingerprinting. The combined JSON payload is POSTed to the hardcoded endpoint https://jorijo.xyz:8443/t with TLS verification disabled (rejectUnauthorized:false). The package name and description mismatch the actual contents and appear to be cover for a dependency-confusion attack against the @hibachi-xyz scope at version 99.0.0.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @hibachi-xyz/ui

No fixed version published yet for @hibachi-xyz/ui (npm). Pin to a known-safe version or switch to an alternative.

참고