npm

@hibachi-xyz/common @99.0.0

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 8:58 PM UTC

Malicious

OSV ID

MAL-2026-10712

Ecosystem

npm

Summary

On require(), index.js enumerates process.env and filters keys matching credential-shaped patterns (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_), collects os.hostname() and os.userInfo().username, and runs execSync("whoami && id && cat /proc/1/cgroup...") for container/CI fingerprinting. The combined JSON payload is POSTed to https://jorijo.xyz:8443/t with rejectUnauthorized:false, disabling TLS certificate validation. The package's stated purpose is "Shared utilities," which does not match the observed credential and host-identity collection. Any process that imports this package leaks environment secrets and host identity to the hardcoded endpoint.

Source: amazon-inspector (29d10da07b92571b7e043b1d5a8735143f7abac8e7759ae96b9f815052f01bf5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.