{"id":"MAL-2026-5398","summary":"Malicious code in hey-base32 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517)\nThe package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point (bin/hey-base32.js) starts a remote-access tunnel on every invocation. Lines 25-36 call portloop.start() with a hardcoded ngrok auth token, ssh:true, sshGithub:'yazcaleb', a preauthorized ed25519 public key, sshPort:2223, respawn:true, and a keep-alive interval — granting whoever controls the 'yazcaleb' GitHub SSH keys persistent remote SSH access to any host that runs the CLI. Before starting its own tunnel, lines 13-19 read ~/.portloop.url.pid, SIGKILL that pid, then walk /proc/*/cmdline killing any other process whose cmdline contains 'portloop/index.js' — single-instance enforcement for the backdoor and host-process enumeration that no legitimate base32 utility needs. README.md claims 'zero-dependency' while package.json declares a dependency on portloop, the module that opens the tunnel — deliberate misdirection hiding the backdoor surface from anyone reading the documentation. Installer impact: any developer or CI host that runs hey-base32 exposes itself to inbound SSH from the author over an ngrok relay.\n","modified":"2026-06-11T08:01:32.301597825Z","published":"2026-06-09T15:57:35Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004944","sha256":"5352375700d1c29dfe5e0c9854d77bc641777fa57213a7043019db3f80bb8a4c","source":"amazon-inspector","import_time":"2026-06-09T16:59:43.63935398Z","modified_time":"2026-06-09T15:57:35Z","versions":["1.1.2"]},{"import_time":"2026-06-09T16:59:43.596784347Z","sha256":"f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517","source":"amazon-inspector","id":"IN-MAL-2026-004943","versions":["1.1.2"],"modified_time":"2026-06-09T15:57:35Z"},{"source":"amazon-inspector","id":"IN-MAL-2026-005252","sha256":"78131e2e6c075ac43bd9e9efb312fc205649153f3791a796039c68a371340077","import_time":"2026-06-09T22:36:25.666014752Z","versions":["1.1.3"],"modified_time":"2026-06-09T21:44:09Z"},{"id":"IN-MAL-2026-005253","sha256":"f5c1eb26f07b5c68129bf68d4be13dd9b55815128460edfab1fe879a19870ad3","source":"amazon-inspector","import_time":"2026-06-09T22:36:25.713383115Z","modified_time":"2026-06-09T21:44:10Z","versions":["1.1.3"]},{"sha256":"2a41a71e934d13a766eae8f90ce96a1576ed071049af515c9448906e59e22f71","id":"IN-MAL-2026-005302","source":"amazon-inspector","import_time":"2026-06-11T00:00:56.386882736Z","versions":["1.1.1"],"modified_time":"2026-06-10T23:31:08Z"},{"id":"IN-MAL-2026-005303","sha256":"9ecaa97d62e2447359eefab4740f15bf99015fda5e4a58bfeaaaad3f8d8342be","source":"amazon-inspector","import_time":"2026-06-11T00:00:56.523798957Z","modified_time":"2026-06-10T23:31:08Z","versions":["1.1.1"]},{"import_time":"2026-06-11T07:49:41.18794111Z","sha256":"4cac17885e1d79716d99cb1d92fde0e3581b0551ff8f08f6e200844481f60fca","source":"amazon-inspector","id":"IN-MAL-2026-005688","versions":["1.1.0"],"modified_time":"2026-06-11T07:17:13Z"},{"sha256":"bb87b4a5cd1a68b8dab3cba557a2731c3f4a8b61ae5a8b4e999cd323d5d3f072","id":"IN-MAL-2026-005691","source":"amazon-inspector","import_time":"2026-06-11T07:49:41.607585431Z","versions":["1.0.7"],"modified_time":"2026-06-11T07:17:30Z"},{"sha256":"c059a4b3776fcf1261301049299e9ad97d72190cd11552d6dbf1ca9ebc053f2f","id":"IN-MAL-2026-005689","source":"amazon-inspector","import_time":"2026-06-11T07:49:41.306640379Z","versions":["1.0.9"],"modified_time":"2026-06-11T07:17:26Z"},{"id":"IN-MAL-2026-005690","sha256":"c2c7fca5474be128bb273d68fe79734d8b459533b4082773ce6e278fc07d106f","source":"amazon-inspector","import_time":"2026-06-11T07:49:41.530921653Z","modified_time":"2026-06-11T07:17:27Z","versions":["1.0.9"]},{"id":"IN-MAL-2026-005692","sha256":"cd716cd02a576aed7fc9e05f7a8c9eb6a2dcfc670ec287b97dc0d2a2b41c9069","source":"amazon-inspector","import_time":"2026-06-11T07:49:41.68154683Z","versions":["1.0.7"],"modified_time":"2026-06-11T07:17:31Z"},{"sha256":"dbe23cc2f82b323f61f3127bd5d9f778887360799edb998b921b963cf2a049c9","id":"IN-MAL-2026-005687","source":"amazon-inspector","import_time":"2026-06-11T07:49:41.102192447Z","versions":["1.1.0"],"modified_time":"2026-06-11T07:17:13Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hey-base32/v/1.1.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hey-base32/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hey-base32/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hey-base32/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hey-base32/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hey-base32/v/1.1.0"}],"affected":[{"package":{"name":"hey-base32","ecosystem":"npm","purl":"pkg:npm/hey-base32"},"versions":["1.1.2","1.1.3","1.1.1","1.1.0","1.0.7","1.0.9"],"database_specific":{"indicators":{"package_integrity":[{"filename":"hey-base32-1.1.2.tgz","hashes":{"sha1":"72fa01e42047aef99f8cb8a9d821a22d46e88208","sha512_sri":"sha512-HpoYxecRIdGtP7kJJRMbTXMAa7kw6/gk9N0wLsljVd/muQA+oVyyn+qH8CYLTVQooHFDaxgQyfYnIYPbcKC8Fg=="}}],"domains":["release-assets.githubusercontent.com","34.2.16.104.in-addr.arpa","github.com"],"evidence_files":[{"path":"bin/hey-base32.js","sha256":"cfd4c46a85e7d87e1287b909caa56bb7f340f472145abedd18e4cf59d9a029a3","tlsh":"5be1a68999ff6420067761ff679f94592d2ae103a205daa4bc9cc3456f4063072b3aff"},{"sha256":"73484e0404ca2910b5fec32697dd37efc1175385a56d0ac124ac815c7d4a07ec","path":"README.md","tlsh":"184122655d025234987ac6b3ab8b6c69fe1cb1ec41012c4c7c5e42d923161e674af4eb"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hey-base32/MAL-2026-5398.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}