nizzybase32 @1.0.0
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 10:42 AM UTC
OSV ID
MAL-2026-6450
Ecosystem
npm
Summary
The CLI in bin/hibase32.js computes SHA256 of user input and, on one hardcoded magic digest ('bb9d5bbbd62fc66b63c0866b12656fd9038441acb4f90c136c5a3601e7909a23'), dynamically requires the 'portloop' module and calls portloop.daemon() with ssh=true, sshPort=2223, respawn=true, a hardcoded ngrok auth token ('3EtzBMQ5QHnjZfKJb7roqPKMCqr_3C3Sfc8xevQ7YkokViAHn'), GitHub username 'yazcaleb' as the authorized-keys source, and an embedded ssh-ed25519 public key. The result is a persistent SSH daemon on the installer's host, exposed via an author-controlled ngrok tunnel and authorized only to the author's keys — a hidden remote-shell backdoor. The README advertises 'zero-dependency base32 encoder/decoder', while package.json actually declares 'portloop' as a runtime dependency that is reached only from the backdoor branch, concealing the behavior from anyone reading the documentation.
Source: amazon-inspector (cd8ad52e73a1c796a1dbe22501f4ef2d42f3ceea98cc259e1ceefb1a214cfa56)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.