-= Per source details. Do not edit below this line.=-
On require of the package's main entry, top-level code enumerates process.env and collects values whose keys match a credential-shaped regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_). It also invokes child_process.execSync to run whoami && id && cat /proc/1/cgroup and collects hostname and username. The combined JSON payload is POSTed to https://jorijo.xyz:8443/t with TLS certificate verification disabled (rejectUnauthorized:false). The 99.0.0 version number under the @hibachi-xyz scope is consistent with a version-inflation typosquat or scope hijack of legitimate hibachi packages.
The OpenSSF Package Analysis project identified '@hibachi-xyz/config' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"import_time": "2026-07-16T18:54:00.021233711Z",
"sha256": "2012c3b3a43f28209edf1c4b6fdbb0477c7c31f7574e37293cf7dd324f7f1e2f",
"modified_time": "2026-07-16T18:34:43Z",
"versions": [
"99.0.0"
],
"id": "IN-MAL-2026-010703",
"source": "amazon-inspector"
},
{
"sha256": "4b4af2f9414079b2062bec53821ecf7f67924011261a4f0430450b8415e9b07e",
"versions": [
"99.0.0"
],
"import_time": "2026-07-17T03:07:34.252770881Z",
"source": "ossf-package-analysis",
"modified_time": "2026-07-16T11:16:53Z"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "config-99.0.0.tgz",
"hashes": {
"sha1": "5269e19f1c7d9a0955f6c7afe7ae2e6f814b6ea9",
"sha512_sri": "sha512-gKJzxLzllZrxlbH27fLw9iJIqTVgBVJYyj+9WvZJsT2O8HulRLkAlHeHIj0ZJ7oPy6+hhr6i17pVmWM/Rm0URQ=="
}
}
],
"evidence_files": [
{
"tlsh": "2111e3e0c7e591b452b2a2e494efc017b2e3cc207156ede0368d5ba23e92d9404771f3",
"sha256": "0d800f2db51cc9935282ab475e18151d9f169c6b40d5af666b6f405ab9b1fa5e",
"path": "index.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hibachi-xyz/config/MAL-2026-10713.json"