MAL-2026-5785

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ve-hemi-rewards/MAL-2026-5785.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5785

Published

2026-06-15T15:09:15Z

Modified

2026-06-15T15:46:46.917475720Z

Summary

Malicious code in ve-hemi-rewards (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a8252216c6621e6391775d34f5e32815ab8c2a830df080fed52113b4cf855aa1)

On npm install, the package's preinstall lifecycle invokes postinstall.js, which collects hostname, username, and current working directory, then iterates process.env and filters keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i. The matching key/value pairs (CI tokens, cloud credentials, SSH/deploy keys, RPC and wallet secrets, etc.) are JSON-serialized and POSTed over HTTPS to a hardcoded bare IP, 185.130.46.35:8443/collect. The package name 've-hemi-rewards' at version 999.0.0 with description 'Internal package' is a classic dependency-confusion shape — a high-version stub published to the public registry to override resolution of an organization's private package of the same name. There is no legitimate functionality; the package exists to harvest installer secrets.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a8252216c6621e6391775d34f5e32815ab8c2a830df080fed52113b4cf855aa1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:09:15Z",
            "versions": [
                "999.0.0"
            ],
            "id": "IN-MAL-2026-006483",
            "import_time": "2026-06-15T15:30:21.579665834Z"
        }
    ]
}

References

https://www.npmjs.com/package/ve-hemi-rewards/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ve-hemi-rewards

Package

Name: ve-hemi-rewards; View open source insights on deps.dev
Purl: pkg:npm/ve-hemi-rewards

Affected ranges

Affected versions

999.*

999.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ve-hemi-rewards/MAL-2026-5785.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3",
            "tlsh": "ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2",
            "path": "postinstall.js"
        },
        {
            "sha256": "0ad98ca5ff77c3dc1dcce2bab278753cd13a4d5b8f2d0c08a5039cfec99063b8",
            "tlsh": "abc012349d15567318c407922567840666e11d2b500469695bd7145442eab7258ab61d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-7GKei5D10oKNaqL4gO7o+4YbftIXFJutRFSQ2B833e0+nmsGu3a61yeIck76mMPW3Cr2dE/oAgtH/POUh0gvkQ==",
                "sha1": "5c14582043d99360099619f8fca304aeb8fd53b5"
            },
            "filename": "ve-hemi-rewards-999.0.0.tgz"
        }
    ]
}