-= Per source details. Do not edit below this line.=-
The package is published under the name @hibachi-xyz/ui with description 'UI components' but ships no UI code. Its index.js, executed on require, enumerates process.env and collects every variable whose name matches a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_), captures hostname and username, and invokes child_process.execSync to run 'whoami && id && cat /proc/1/cgroup' for container/host fingerprinting. The combined JSON payload is POSTed to the hardcoded endpoint https://jorijo.xyz:8443/t with TLS verification disabled (rejectUnauthorized:false). The package name and description mismatch the actual contents and appear to be cover for a dependency-confusion attack against the @hibachi-xyz scope at version 99.0.0.
The OpenSSF Package Analysis project identified '@hibachi-xyz/ui' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"99.0.0"
],
"sha256": "308aa7f8a3746a346bbed305975f68d110bcf6b98815b7bf9f579e37089fd78b",
"import_time": "2026-07-16T18:53:59.980298653Z",
"modified_time": "2026-07-16T18:34:36Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010702"
},
{
"sha256": "1157af886ccbdd78fe425937398dff9f6fa4d7b93795723e9e2b1b86b77f1c97",
"import_time": "2026-07-17T03:07:34.083171973Z",
"modified_time": "2026-07-16T11:11:04Z",
"source": "ossf-package-analysis",
"versions": [
"99.0.0"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "ui-99.0.0.tgz",
"hashes": {
"sha1": "3cd658c39e251d32796d5616172344994dc9f5cd",
"sha512_sri": "sha512-enwYGXTB4QiAQNj41rDT7JNLeVe4AKUU47oXGcMP+KHg8XyBgnQvBDNAmz5wkfeE0ZeKSKVmx+zNHLDNSINEqg=="
}
}
],
"evidence_files": [
{
"tlsh": "2111e3e0c7e591b452b2a2e494efc017b2e3cc207156ede0368d5ba23e92d9404771f3",
"sha256": "0d800f2db51cc9935282ab475e18151d9f169c6b40d5af666b6f405ab9b1fa5e",
"path": "index.js"
},
{
"tlsh": "47c09b700610a42328c457e54e73574b57910d3b504774041753601452e9a7755f670f",
"sha256": "bc80ddc14af7eab82b93b02180331c0eee15403aee43fb0ab8af99bd241ed8cb",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hibachi-xyz/ui/MAL-2026-10716.json"