Supply-chain threat intelligence
Risk score
92
Indexed incident for @hibachi-xyz/ui (npm).
The package is published under the name @hibachi-xyz/ui with description 'UI components' but ships no UI code. Its index.js, executed on require, enumerates process.env and collects every variable whose name matches a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_), captures hostname and username, and invokes child_process.execSync to run 'whoami && id && cat /proc/1/cgroup' for container/host fingerprinting. The combined JSON payload is POSTed to the hardcoded endpoint https://jorijo.xyz:8443/t with TLS verification disabled (rejectUnauthorized:false). The package name and description mismatch the actual contents and appear to be cover for a dependency-confusion attack against the @hibachi-xyz scope at version 99.0.0.
The OpenSSF Package Analysis project identified '@hibachi-xyz/ui' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
Affected versions
Indicators
Timeline