{"id":"MAL-2026-4584","summary":"Malicious code in ihubinternal (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8d05496a74a52542f8bf237430ae41377eb71e3710b41abfcc1f7b5cf3642885)\nThe package exports a VelocityAuth() function that, when called by integrating applications, sends end-user Solana wallet public keys, signed nonces/signatures, precise GPS coordinates (latitude/longitude), and any JWT stored under localStorage key `vjwt` to the hardcoded URL `https://itsxpulse-401.hf.space/x401_auth` (dist/index.js line 2). The destination is an anonymous HuggingFace Space with `Velocity`/`VELOCITY401`/`x401` branding that does not correspond to the npm publisher (`immutablehub`/`ihubinternal`). The README contains only the text `### INTERNAL AUTH PKG` and does not document the remote endpoint, the data fields transmitted, or the integration model. Any application that wires this SDK into an authentication flow ends up forwarding its end-users' wallet credentials and location data to a third-party host the integrator cannot inspect or audit. This is the silent-relay shape: a package whose advertised API hard-codes a destination such that normal use leaks caller-supplied (and end-user) data to that destination.\n","modified":"2026-05-26T06:02:37.111244312Z","published":"2026-05-21T13:22:46Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-21T13:22:46Z","import_time":"2026-05-26T05:51:23.076274287Z","source":"amazon-inspector","versions":["1.0.0"],"sha256":"8d05496a74a52542f8bf237430ae41377eb71e3710b41abfcc1f7b5cf3642885","id":"IN-MAL-2026-003820"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ihubinternal/v/1.0.0"}],"affected":[{"package":{"name":"ihubinternal","ecosystem":"npm","purl":"pkg:npm/ihubinternal"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"ab721a6a73d4292397d3228afd02040172798e7850ec6160bd578b5f6d18449ebfbf7b","path":"dist/index.js","sha256":"6d9251fd91e617c5141e051e6d3ab9b66b35d6bed4b32b4966c5151397e8f66b"},{"tlsh":"4bf02430d8219da32acd96911c78525379a58c0b8458f80873e3620d079e26f20bc77d","path":"package.json","sha256":"ecfde489d03e7f6b8c0e885ecba83cc20c0f103437a6fde734d20dbbf210d860"}],"package_integrity":[{"hashes":{"sha1":"91fe112d6c9c6c762828a3ce9ee2366620d31254","sha512_sri":"sha512-cO5zwJXmQH96BxzkjzizBayp2++o7QcEHTB06Hu+6RsUP4QkkXx9WcDsNGI9oyJ00MHE05EMLTry/hyBo0Cf0A=="},"filename":"ihubinternal-1.0.0.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ihubinternal/MAL-2026-4584.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}