@hibachi-xyz/sdk @99.0.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 8:58 PM UTC
OSV ID
MAL-2026-10714
Ecosystem
npm
Summary
index.js (the package main) executes at require-time and performs credential and host exfiltration. It iterates process.env and filters keys matching a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_, etc.), collects hostname and username, and runs whoami && id && cat /proc/1/cgroup via child_process.execSync to fingerprint the user/container/CI runner. The collected data is POSTed to https://jorijo.xyz:8443/t with TLS certificate verification disabled (rejectUnauthorized:false). The version number (99.0.0) and scoped name are consistent with a typosquat/impersonation of an @hibachi-xyz SDK.
Source: amazon-inspector (54956c91d0cedbe9097a2a8f7fa864382bd3b5a91ba7ccbe4a0219081be711f9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.