MAL-2026-4584

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ihubinternal/MAL-2026-4584.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4584

Published

2026-05-21T13:22:46Z

Modified

2026-05-26T06:02:37.111244312Z

Summary

Malicious code in ihubinternal (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8d05496a74a52542f8bf237430ae41377eb71e3710b41abfcc1f7b5cf3642885)

The package exports a VelocityAuth() function that, when called by integrating applications, sends end-user Solana wallet public keys, signed nonces/signatures, precise GPS coordinates (latitude/longitude), and any JWT stored under localStorage key vjwt to the hardcoded URL https://itsxpulse-401.hf.space/x401_auth (dist/index.js line 2). The destination is an anonymous HuggingFace Space with Velocity/VELOCITY401/x401 branding that does not correspond to the npm publisher (immutablehub/ihubinternal). The README contains only the text ### INTERNAL AUTH PKG and does not document the remote endpoint, the data fields transmitted, or the integration model. Any application that wires this SDK into an authentication flow ends up forwarding its end-users' wallet credentials and location data to a third-party host the integrator cannot inspect or audit. This is the silent-relay shape: a package whose advertised API hard-codes a destination such that normal use leaks caller-supplied (and end-user) data to that destination.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "8d05496a74a52542f8bf237430ae41377eb71e3710b41abfcc1f7b5cf3642885",
            "id": "IN-MAL-2026-003820",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T13:22:46Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-05-26T05:51:23.076274287Z"
        }
    ]
}

References

https://www.npmjs.com/package/ihubinternal/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / ihubinternal

Package

Name: ihubinternal; View open source insights on deps.dev
Purl: pkg:npm/ihubinternal

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ihubinternal/MAL-2026-4584.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "6d9251fd91e617c5141e051e6d3ab9b66b35d6bed4b32b4966c5151397e8f66b",
            "tlsh": "ab721a6a73d4292397d3228afd02040172798e7850ec6160bd578b5f6d18449ebfbf7b",
            "path": "dist/index.js"
        },
        {
            "sha256": "ecfde489d03e7f6b8c0e885ecba83cc20c0f103437a6fde734d20dbbf210d860",
            "tlsh": "4bf02430d8219da32acd96911c78525379a58c0b8458f80873e3620d079e26f20bc77d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "ihubinternal-1.0.0.tgz",
            "hashes": {
                "sha1": "91fe112d6c9c6c762828a3ce9ee2366620d31254",
                "sha512_sri": "sha512-cO5zwJXmQH96BxzkjzizBayp2++o7QcEHTB06Hu+6RsUP4QkkXx9WcDsNGI9oyJ00MHE05EMLTry/hyBo0Cf0A=="
            }
        }
    ]
}