Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in @hibachi-xyz/sdk (npm)

@hibachi-xyz/sdk

Risk score

92

AI summary

Indexed incident for @hibachi-xyz/sdk (npm).

Description

index.js (the package main) executes at require-time and performs credential and host exfiltration. It iterates process.env and filters keys matching a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_, etc.), collects hostname and username, and runs whoami && id && cat /proc/1/cgroup via child_process.execSync to fingerprint the user/container/CI runner. The collected data is POSTed to https://jorijo.xyz:8443/t with TLS certificate verification disabled (rejectUnauthorized:false). The version number (99.0.0) and scoped name are consistent with a typosquat/impersonation of an @hibachi-xyz SDK.

The OpenSSF Package Analysis project identified '@hibachi-xyz/sdk' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.

Technical details

Affected versions

=99.0.0

Indicators

  • affected version=99.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents