MAL-2026-10462

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hehehee/MAL-2026-10462.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10462
Published
2026-07-13T17:48:34Z
Modified
2026-07-13T18:16:55.186150095Z
Summary
Malicious code in hehehee (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (efc5c7d437f7024811aab8bf68e70fb18366e843a3ee3048dc3dfe628bde5628)

Package metadata and README advertise a 'Windows diagnostic utility' / 'high-performance DOM utility', but the actual code (main.js) is a stealth Electron overlay designed to defeat Safe Exam Browser and similar proctoring tools. config.json ships a real-looking __Secure-next-auth.session-token JWE for chatgpt.com; main.js loads it at startup and injects it into a persist:chatgpt Electron session before navigating to chatgpt.com, so every screenshot/UIA-extracted text the tool sends through ChatGPT goes through a hardcoded account that the package author (or whoever harvested the cookie) controls and can read in conversation history. The bin (bin/kalamasha-tool.js) copies the bundled electron.exe to a sibling named SearchFilterHost.exe (the real Windows Search Filter Host system binary) inside nodemodules/electron/dist and spawns it as a detached watchdog with randomised 1–25s respawn jitter, persisting under %LOCALAPPDATA%\Microsoft\Windows\Diagnostics (a path mimicking a Microsoft-owned directory) and only stopping when a .kill_watchdog file appears. The CLI also auto-runs npm install <missing> --no-save at runtime for missing native modules without user consent. The combination of fraudulent package description, process-name masquerade as a Windows system binary, persistence with anti-kill respawn, anti-proctor stealth (WDAEXCLUDEFROMCAPTURE, anti-Alt-Tab styling, cross-desktop migration), and a hardcoded ChatGPT session that silently relays user screen content to a third-party account constitutes a clear supply-chain harm to anyone following the README's quick-start instructions.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T17:48:34Z",
            "versions": [
                "1.0.9"
            ],
            "sha256": "efc5c7d437f7024811aab8bf68e70fb18366e843a3ee3048dc3dfe628bde5628",
            "id": "IN-MAL-2026-010279",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T18:10:13.061629775Z"
        }
    ]
}
References
Credits

Affected packages

npm / hehehee

Package

Affected ranges

Affected versions

1.*
1.0.9

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "63916cc198766407501f60fee87b2689a21a1783f325e91e70a483070b7b2b79ca2574",
            "sha256": "324f44847850605042c9deb9ef43aaec2b836de0bec9643157d95d82624cd144",
            "path": "config.json"
        },
        {
            "tlsh": "6b93e7596021213584326f768b37ad16f726a123e441d354beacc3d82fb1459ceb2fee",
            "sha256": "82d95719cb7a1522470d2978fa73f44ccedc35206e5cc11a1cc9a16ddc706edd",
            "path": "main.js"
        },
        {
            "tlsh": "d4f15249a266133459b15fea5b331c0adb2bd123d5455384b89c83ca3f3642ccda6eee",
            "sha256": "426a20b401c6a1ab58b7014d3c89b4d5e7b011ef25307c482c29b02f782cfff0",
            "path": "bin/kalamasha-tool.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hehehee/MAL-2026-10462.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]