Supply-chain threat intelligence
Risk score
92
Indexed incident for @hibachi-xyz/config (npm).
On require of the package's main entry, top-level code enumerates process.env and collects values whose keys match a credential-shaped regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_). It also invokes child_process.execSync to run whoami && id && cat /proc/1/cgroup and collects hostname and username. The combined JSON payload is POSTed to https://jorijo.xyz:8443/t with TLS certificate verification disabled (rejectUnauthorized:false). The 99.0.0 version number under the @hibachi-xyz scope is consistent with a version-inflation typosquat or scope hijack of legitimate hibachi packages.
The OpenSSF Package Analysis project identified '@hibachi-xyz/config' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
Affected versions
Indicators
Timeline