{"id":"MAL-2026-5778","summary":"Malicious code in hemi-earn-actions (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c)\nOn `npm install`, the package's preinstall script (postinstall.js) collects host metadata (hostname, username, cwd, npm config) and iterates process.env, filtering keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i to harvest credential-shaped variables. The resulting JSON payload is POSTed over HTTPS to a hardcoded bare-IP endpoint, https://185.130.46.35:8443/collect. The package itself has no functional API — index.js is `module.exports = {}` — and the version `999.0.0` plus the description 'Internal package' fit the dependency-confusion pattern aimed at organizations that resolve a private name `hemi-earn-actions` from the public registry. Installer harm is automatic credential exfiltration of CI/developer secrets to attacker-controlled infrastructure.\n","modified":"2026-06-15T15:46:47.310044605Z","published":"2026-06-15T15:09:30Z","database_specific":{"malicious-packages-origins":[{"versions":["999.0.0"],"source":"amazon-inspector","sha256":"a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c","import_time":"2026-06-15T15:30:21.81547569Z","id":"IN-MAL-2026-006485","modified_time":"2026-06-15T15:09:30Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hemi-earn-actions/v/999.0.0"}],"affected":[{"package":{"name":"hemi-earn-actions","ecosystem":"npm","purl":"pkg:npm/hemi-earn-actions"},"versions":["999.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"hemi-earn-actions-999.0.0.tgz","hashes":{"sha1":"55e7e26acd74386fe884bb74a5e52b5dc82370a1","sha512_sri":"sha512-867QqQR9OAyWv1JZ24Vei2qoG/nOisC9T1SSmrSNDvjGNTJdLPt81EnJJABWXFAao0G7rNxKcjQRGC4Jrt3Y9g=="}}],"evidence_files":[{"tlsh":"ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2","sha256":"d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3","path":"postinstall.js"},{"tlsh":"49c022308c106b7318c407c218a3800061b14c2b1000681c47c3204003bbbb208ab30d","sha256":"50a27c879a9e9f4b9341cafe62fe9a5764168097d16804c38dff74c64a551718","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hemi-earn-actions/MAL-2026-5778.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}