hemi-supply-cron @999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5779
Ecosystem
npm
Summary
package.json declares a preinstall hook ( node postinstall.js ) that fires automatically on npm install . The script collects host identity (os.hostname(), os.userInfo().username, process.cwd()) and enumerates process.env, filtering keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i to harvest any credential-shaped variables (AWS keys, SSH/deploy tokens, RPC/wallet secrets, API tokens, etc.). The collected JSON payload is HTTPS POSTed to the hardcoded bare IP 185.130.46.35:8443 at path /collect. The package has no library functionality — index.js exports an empty object — and is published at version 999.0.0, the canonical dependency-confusion shape used to override an internal package name with a higher public version. The package's sole purpose is to harvest installer/CI secrets.
Source: amazon-inspector (c41be27601d38eb5c0b527a9ec22b7516734e8eae985a2607ae6d70878f5f1d9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.