@hibachi-xyz/config @99.0.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 8:58 PM UTC
OSV ID
MAL-2026-10713
Ecosystem
npm
Summary
On require of the package's main entry, top-level code enumerates process.env and collects values whose keys match a credential-shaped regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_). It also invokes child_process.execSync to run whoami && id && cat /proc/1/cgroup and collects hostname and username. The combined JSON payload is POSTed to https://jorijo.xyz:8443/t with TLS certificate verification disabled (rejectUnauthorized:false). The 99.0.0 version number under the @hibachi-xyz scope is consistent with a version-inflation typosquat or scope hijack of legitimate hibachi packages.
Source: amazon-inspector (2012c3b3a43f28209edf1c4b6fdbb0477c7c31f7574e37293cf7dd324f7f1e2f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.