Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in @hibachi-xyz/ui (npm)

@hibachi-xyz/ui

Risk score

92

AI summary

Indexed incident for @hibachi-xyz/ui (npm).

Description

The package is published under the name @hibachi-xyz/ui with description 'UI components' but ships no UI code. Its index.js, executed on require, enumerates process.env and collects every variable whose name matches a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_), captures hostname and username, and invokes child_process.execSync to run 'whoami && id && cat /proc/1/cgroup' for container/host fingerprinting. The combined JSON payload is POSTed to the hardcoded endpoint https://jorijo.xyz:8443/t with TLS verification disabled (rejectUnauthorized:false). The package name and description mismatch the actual contents and appear to be cover for a dependency-confusion attack against the @hibachi-xyz scope at version 99.0.0.

The OpenSSF Package Analysis project identified '@hibachi-xyz/ui' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.

Technical details

Affected versions

=99.0.0

Indicators

  • affected version=99.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents