-= Per source details. Do not edit below this line.=-
index.js (the package main) executes at require-time and performs credential and host exfiltration. It iterates process.env and filters keys matching a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_, etc.), collects hostname and username, and runs whoami && id && cat /proc/1/cgroup via child_process.execSync to fingerprint the user/container/CI runner. The collected data is POSTed to https://jorijo.xyz:8443/t with TLS certificate verification disabled (rejectUnauthorized:false). The version number (99.0.0) and scoped name are consistent with a typosquat/impersonation of an @hibachi-xyz SDK.
The OpenSSF Package Analysis project identified '@hibachi-xyz/sdk' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010700",
"sha256": "54956c91d0cedbe9097a2a8f7fa864382bd3b5a91ba7ccbe4a0219081be711f9",
"modified_time": "2026-07-16T18:34:17Z",
"versions": [
"99.0.0"
],
"source": "amazon-inspector",
"import_time": "2026-07-16T18:53:59.902630003Z"
},
{
"sha256": "c11bfc518d9b46d575a8f0354528c134382b02809f4958c0029a128d7177d79d",
"modified_time": "2026-07-16T11:10:58Z",
"versions": [
"99.0.0"
],
"source": "ossf-package-analysis",
"import_time": "2026-07-17T03:07:33.998474067Z"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "sdk-99.0.0.tgz",
"hashes": {
"sha1": "aa6f289844ac0efd8e7f2ea9fcdf8e283e909ae4",
"sha512_sri": "sha512-WoS8A8ftezc1gWcogP5cmPZy0iLVanM1AXRJ/ihTYZqPV/oztaCgqRNgRBH+G0pL6PSj4Xu4u6SjGh7PhyZpcw=="
}
}
],
"evidence_files": [
{
"tlsh": "2111e3e0c7e591b452b2a2e494efc017b2e3cc207156ede0368d5ba23e92d9404771f3",
"sha256": "0d800f2db51cc9935282ab475e18151d9f169c6b40d5af666b6f405ab9b1fa5e",
"path": "index.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hibachi-xyz/sdk/MAL-2026-10714.json"