MAL-2026-5778

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hemi-earn-actions/MAL-2026-5778.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5778

Published

2026-06-15T15:09:30Z

Modified

2026-06-15T15:46:47.310044605Z

Summary

Malicious code in hemi-earn-actions (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c)

On npm install, the package's preinstall script (postinstall.js) collects host metadata (hostname, username, cwd, npm config) and iterates process.env, filtering keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i to harvest credential-shaped variables. The resulting JSON payload is POSTed over HTTPS to a hardcoded bare-IP endpoint, https://185.130.46.35:8443/collect. The package itself has no functional API — index.js is module.exports = {} — and the version 999.0.0 plus the description 'Internal package' fit the dependency-confusion pattern aimed at organizations that resolve a private name hemi-earn-actions from the public registry. Installer harm is automatic credential exfiltration of CI/developer secrets to attacker-controlled infrastructure.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006485",
            "import_time": "2026-06-15T15:30:21.81547569Z",
            "versions": [
                "999.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:09:30Z",
            "sha256": "a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c"
        }
    ]
}

References

https://www.npmjs.com/package/hemi-earn-actions/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / hemi-earn-actions

Package

Name: hemi-earn-actions; View open source insights on deps.dev
Purl: pkg:npm/hemi-earn-actions

Affected ranges

Affected versions

999.*

999.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hemi-earn-actions/MAL-2026-5778.json"

indicators

{
    "package_integrity": [
        {
            "filename": "hemi-earn-actions-999.0.0.tgz",
            "hashes": {
                "sha1": "55e7e26acd74386fe884bb74a5e52b5dc82370a1",
                "sha512_sri": "sha512-867QqQR9OAyWv1JZ24Vei2qoG/nOisC9T1SSmrSNDvjGNTJdLPt81EnJJABWXFAao0G7rNxKcjQRGC4Jrt3Y9g=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3",
            "tlsh": "ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2"
        },
        {
            "path": "package.json",
            "sha256": "50a27c879a9e9f4b9341cafe62fe9a5764168097d16804c38dff74c64a551718",
            "tlsh": "49c022308c106b7318c407c218a3800061b14c2b1000681c47c3204003bbbb208ab30d"
        }
    ]
}