npm

hehehe @2.0.2

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10732

Ecosystem

npm

Summary

Package is published as an 'enterprise Windows Diagnostic Utility' but is an anti-proctoring cheating tool that also steals the installer's browser session cookies. main.js invokes a bundled PowerShell routine that opens Chrome, Edge, and Brave 'Local State' files, decrypts the DPAPI-wrapped AES-256-GCM key, and reads each browser's Cookies SQLite database to extract cookies for.openai.com,.chatgpt.com, auth.openai.com, and auth0.openai.com; the decrypted cookies are then injected into the tool's own Electron session to hijack the installer's ChatGPT login. The bin launcher copies electron.exe to 'SearchFilterHost.exe' inside electron/dist to masquerade as a signed Windows Search subsystem process, spawns a detached background watchdog that respawns with random jitter when killed, and uses SetWindowDisplayAffinity WDA_EXCLUDEFROMCAPTURE plus a '--seb-child' Safe Exam Browser migration path to evade Testpad/AMCAT/SEB proctoring. Ships an undocumented 27MB Windows PE binary bin/uia_extract.exe that main.js executes via python "${pyPath}" || "${exePath}" with no hash or signature verification. SECTION_PROMPTS constants for AMCAT sections (GEN/DEB/APT/PRG) and a 'FINAL ANSWER:' extraction contract confirm the cheating-tool payload behind the diagnostic cover story.

Source: amazon-inspector (588dd776720f805d7d84a58c93ffcd21ed860e3fc21a48787d732eb6180b974d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.