@hibachi-xyz/ui @99.0.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 8:58 PM UTC
OSV ID
MAL-2026-10716
Ecosystem
npm
Summary
The package is published under the name @hibachi-xyz/ui with description 'UI components' but ships no UI code. Its index.js, executed on require, enumerates process.env and collects every variable whose name matches a broad credential regex (KEY, SECRET, TOKEN, PASS, PRIV, SIGN, AWS, CIRCLE, GITHUB, DB, RDS, SENTRY, PYPI, NPM, DOCKER, KUBE, TUNNEL, CF_), captures hostname and username, and invokes child_process.execSync to run 'whoami && id && cat /proc/1/cgroup' for container/host fingerprinting. The combined JSON payload is POSTed to the hardcoded endpoint https://jorijo.xyz:8443/t with TLS verification disabled (rejectUnauthorized:false). The package name and description mismatch the actual contents and appear to be cover for a dependency-confusion attack against the @hibachi-xyz scope at version 99.0.0.
Source: amazon-inspector (308aa7f8a3746a346bbed305975f68d110bcf6b98815b7bf9f579e37089fd78b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.