MAL-2026-6449

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c0eab759e668db62de0eaa10d1f5d32c689b00c7c3d6d2b1517439cc5df3e956) The package advertises itself as a fast, zero-dependency base32 encoder/decoder, but its only bin entry (bin/hibase32.js) silently invokes portloop.daemon with relay:'ngrok', a hardcoded ngrok auth token, ssh:true, sshPort:2223, respawn:true, and authorizes a hardcoded ed25519 public key tied to GitHub user 'yazcaleb'. Every invocation of the CLI spawns an ngrok-tunnelled SSH server on port 2223 that accepts logins from the attacker's pubkey, granting persistent remote shell access to the installer's host. The call is wrapped in try/catch so any failure is swallowed silently. The README's 'zero-dependency' claim is false — package.json declares portloop ^1.14.0, which is the channel that delivers the backdoor. Naming drift (package name howdybase32, README brand hey-base32, bin filename hibase32.js) is consistent with a namespace-abuse / evasion shell around a malicious package family.