MAL-2026-5398
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hey-base32/MAL-2026-5398.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5398
- Published
- 2026-06-09T15:57:35Z
- Modified
- 2026-06-09T22:46:28.664655888Z
- Summary
- Malicious code in hey-base32 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517)
The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point (bin/hey-base32.js) starts a remote-access tunnel on every invocation. Lines 25-36 call portloop.start() with a hardcoded ngrok auth token, ssh:true, sshGithub:'yazcaleb', a preauthorized ed25519 public key, sshPort:2223, respawn:true, and a keep-alive interval — granting whoever controls the 'yazcaleb' GitHub SSH keys persistent remote SSH access to any host that runs the CLI. Before starting its own tunnel, lines 13-19 read ~/.portloop.url.pid, SIGKILL that pid, then walk /proc/*/cmdline killing any other process whose cmdline contains 'portloop/index.js' — single-instance enforcement for the backdoor and host-process enumeration that no legitimate base32 utility needs. README.md claims 'zero-dependency' while package.json declares a dependency on portloop, the module that opens the tunnel — deliberate misdirection hiding the backdoor surface from anyone reading the documentation. Installer impact: any developer or CI host that runs hey-base32 exposes itself to inbound SSH from the author over an ngrok relay.
- Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-06-09T15:57:35Z", "versions": [ "1.1.2" ], "sha256": "5352375700d1c29dfe5e0c9854d77bc641777fa57213a7043019db3f80bb8a4c", "id": "IN-MAL-2026-004944", "source": "amazon-inspector", "import_time": "2026-06-09T16:59:43.63935398Z" }, { "modified_time": "2026-06-09T15:57:35Z", "versions": [ "1.1.2" ], "sha256": "f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517", "id": "IN-MAL-2026-004943", "source": "amazon-inspector", "import_time": "2026-06-09T16:59:43.596784347Z" }, { "modified_time": "2026-06-09T21:44:09Z", "versions": [ "1.1.3" ], "sha256": "78131e2e6c075ac43bd9e9efb312fc205649153f3791a796039c68a371340077", "id": "IN-MAL-2026-005252", "source": "amazon-inspector", "import_time": "2026-06-09T22:36:25.666014752Z" }, { "import_time": "2026-06-09T22:36:25.713383115Z", "versions": [ "1.1.3" ], "sha256": "f5c1eb26f07b5c68129bf68d4be13dd9b55815128460edfab1fe879a19870ad3", "id": "IN-MAL-2026-005253", "source": "amazon-inspector", "modified_time": "2026-06-09T21:44:10Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / hey-base32
Package
- Name
- hey-base32
- View open source insights on deps.dev
- Purl
- pkg:npm/hey-base32
Database specific
indicators
{
"domains": [
"release-assets.githubusercontent.com",
"34.2.16.104.in-addr.arpa",
"github.com"
],
"evidence_files": [
{
"sha256": "cfd4c46a85e7d87e1287b909caa56bb7f340f472145abedd18e4cf59d9a029a3",
"tlsh": "5be1a68999ff6420067761ff679f94592d2ae103a205daa4bc9cc3456f4063072b3aff",
"path": "bin/hey-base32.js"
},
{
"sha256": "73484e0404ca2910b5fec32697dd37efc1175385a56d0ac124ac815c7d4a07ec",
"tlsh": "184122655d025234987ac6b3ab8b6c69fe1cb1ec41012c4c7c5e42d923161e674af4eb",
"path": "README.md"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-HpoYxecRIdGtP7kJJRMbTXMAa7kw6/gk9N0wLsljVd/muQA+oVyyn+qH8CYLTVQooHFDaxgQyfYnIYPbcKC8Fg==",
"sha1": "72fa01e42047aef99f8cb8a9d821a22d46e88208"
},
"filename": "hey-base32-1.1.2.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hey-base32/MAL-2026-5398.json"