Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in @hibachi-xyz/config (npm)

@hibachi-xyz/config

Risk score

92

AI summary

Indexed incident for @hibachi-xyz/config (npm).

Description

On require of the package's main entry, top-level code enumerates process.env and collects values whose keys match a credential-shaped regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_). It also invokes child_process.execSync to run whoami && id && cat /proc/1/cgroup and collects hostname and username. The combined JSON payload is POSTed to https://jorijo.xyz:8443/t with TLS certificate verification disabled (rejectUnauthorized:false). The 99.0.0 version number under the @hibachi-xyz scope is consistent with a version-inflation typosquat or scope hijack of legitimate hibachi packages.

The OpenSSF Package Analysis project identified '@hibachi-xyz/config' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.

Technical details

Affected versions

=99.0.0

Indicators

  • affected version=99.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents