MAL-2026-5398
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hey-base32/MAL-2026-5398.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5398
- Published
- 2026-06-09T15:57:35Z
- Modified
- 2026-06-11T08:01:32.301597825Z
- Summary
- Malicious code in hey-base32 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517)
The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point (bin/hey-base32.js) starts a remote-access tunnel on every invocation. Lines 25-36 call portloop.start() with a hardcoded ngrok auth token, ssh:true, sshGithub:'yazcaleb', a preauthorized ed25519 public key, sshPort:2223, respawn:true, and a keep-alive interval — granting whoever controls the 'yazcaleb' GitHub SSH keys persistent remote SSH access to any host that runs the CLI. Before starting its own tunnel, lines 13-19 read ~/.portloop.url.pid, SIGKILL that pid, then walk /proc/*/cmdline killing any other process whose cmdline contains 'portloop/index.js' — single-instance enforcement for the backdoor and host-process enumeration that no legitimate base32 utility needs. README.md claims 'zero-dependency' while package.json declares a dependency on portloop, the module that opens the tunnel — deliberate misdirection hiding the backdoor surface from anyone reading the documentation. Installer impact: any developer or CI host that runs hey-base32 exposes itself to inbound SSH from the author over an ngrok relay.
- Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-06-09T15:57:35Z", "source": "amazon-inspector", "sha256": "5352375700d1c29dfe5e0c9854d77bc641777fa57213a7043019db3f80bb8a4c", "id": "IN-MAL-2026-004944", "versions": [ "1.1.2" ], "import_time": "2026-06-09T16:59:43.63935398Z" }, { "import_time": "2026-06-09T16:59:43.596784347Z", "source": "amazon-inspector", "modified_time": "2026-06-09T15:57:35Z", "id": "IN-MAL-2026-004943", "versions": [ "1.1.2" ], "sha256": "f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517" }, { "import_time": "2026-06-09T22:36:25.666014752Z", "source": "amazon-inspector", "sha256": "78131e2e6c075ac43bd9e9efb312fc205649153f3791a796039c68a371340077", "id": "IN-MAL-2026-005252", "versions": [ "1.1.3" ], "modified_time": "2026-06-09T21:44:09Z" }, { "modified_time": "2026-06-09T21:44:10Z", "source": "amazon-inspector", "sha256": "f5c1eb26f07b5c68129bf68d4be13dd9b55815128460edfab1fe879a19870ad3", "id": "IN-MAL-2026-005253", "versions": [ "1.1.3" ], "import_time": "2026-06-09T22:36:25.713383115Z" }, { "sha256": "2a41a71e934d13a766eae8f90ce96a1576ed071049af515c9448906e59e22f71", "source": "amazon-inspector", "import_time": "2026-06-11T00:00:56.386882736Z", "id": "IN-MAL-2026-005302", "versions": [ "1.1.1" ], "modified_time": "2026-06-10T23:31:08Z" }, { "modified_time": "2026-06-10T23:31:08Z", "source": "amazon-inspector", "sha256": "9ecaa97d62e2447359eefab4740f15bf99015fda5e4a58bfeaaaad3f8d8342be", "id": "IN-MAL-2026-005303", "versions": [ "1.1.1" ], "import_time": "2026-06-11T00:00:56.523798957Z" }, { "import_time": "2026-06-11T07:49:41.18794111Z", "source": "amazon-inspector", "modified_time": "2026-06-11T07:17:13Z", "id": "IN-MAL-2026-005688", "versions": [ "1.1.0" ], "sha256": "4cac17885e1d79716d99cb1d92fde0e3581b0551ff8f08f6e200844481f60fca" }, { "sha256": "bb87b4a5cd1a68b8dab3cba557a2731c3f4a8b61ae5a8b4e999cd323d5d3f072", "source": "amazon-inspector", "import_time": "2026-06-11T07:49:41.607585431Z", "id": "IN-MAL-2026-005691", "versions": [ "1.0.7" ], "modified_time": "2026-06-11T07:17:30Z" }, { "sha256": "c059a4b3776fcf1261301049299e9ad97d72190cd11552d6dbf1ca9ebc053f2f", "source": "amazon-inspector", "import_time": "2026-06-11T07:49:41.306640379Z", "id": "IN-MAL-2026-005689", "versions": [ "1.0.9" ], "modified_time": "2026-06-11T07:17:26Z" }, { "modified_time": "2026-06-11T07:17:27Z", "source": "amazon-inspector", "sha256": "c2c7fca5474be128bb273d68fe79734d8b459533b4082773ce6e278fc07d106f", "id": "IN-MAL-2026-005690", "versions": [ "1.0.9" ], "import_time": "2026-06-11T07:49:41.530921653Z" }, { "import_time": "2026-06-11T07:49:41.68154683Z", "source": "amazon-inspector", "sha256": "cd716cd02a576aed7fc9e05f7a8c9eb6a2dcfc670ec287b97dc0d2a2b41c9069", "id": "IN-MAL-2026-005692", "versions": [ "1.0.7" ], "modified_time": "2026-06-11T07:17:31Z" }, { "sha256": "dbe23cc2f82b323f61f3127bd5d9f778887360799edb998b921b963cf2a049c9", "source": "amazon-inspector", "import_time": "2026-06-11T07:49:41.102192447Z", "id": "IN-MAL-2026-005687", "versions": [ "1.1.0" ], "modified_time": "2026-06-11T07:17:13Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / hey-base32
Package
- Name
- hey-base32
- View open source insights on deps.dev
- Purl
- pkg:npm/hey-base32
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hey-base32/MAL-2026-5398.json"
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "hey-base32-1.1.2.tgz",
"hashes": {
"sha1": "72fa01e42047aef99f8cb8a9d821a22d46e88208",
"sha512_sri": "sha512-HpoYxecRIdGtP7kJJRMbTXMAa7kw6/gk9N0wLsljVd/muQA+oVyyn+qH8CYLTVQooHFDaxgQyfYnIYPbcKC8Fg=="
}
}
],
"evidence_files": [
{
"tlsh": "5be1a68999ff6420067761ff679f94592d2ae103a205daa4bc9cc3456f4063072b3aff",
"sha256": "cfd4c46a85e7d87e1287b909caa56bb7f340f472145abedd18e4cf59d9a029a3",
"path": "bin/hey-base32.js"
},
{
"tlsh": "184122655d025234987ac6b3ab8b6c69fe1cb1ec41012c4c7c5e42d923161e674af4eb",
"path": "README.md",
"sha256": "73484e0404ca2910b5fec32697dd37efc1175385a56d0ac124ac815c7d4a07ec"
}
],
"domains": [
"release-assets.githubusercontent.com",
"34.2.16.104.in-addr.arpa",
"github.com"
]
}