{"id":"MAL-2026-5785","summary":"Malicious code in ve-hemi-rewards (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a8252216c6621e6391775d34f5e32815ab8c2a830df080fed52113b4cf855aa1)\nOn `npm install`, the package's preinstall lifecycle invokes postinstall.js, which collects hostname, username, and current working directory, then iterates process.env and filters keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i. The matching key/value pairs (CI tokens, cloud credentials, SSH/deploy keys, RPC and wallet secrets, etc.) are JSON-serialized and POSTed over HTTPS to a hardcoded bare IP, 185.130.46.35:8443/collect. The package name 've-hemi-rewards' at version 999.0.0 with description 'Internal package' is a classic dependency-confusion shape — a high-version stub published to the public registry to override resolution of an organization's private package of the same name. There is no legitimate functionality; the package exists to harvest installer secrets.\n","modified":"2026-06-15T15:46:46.917475720Z","published":"2026-06-15T15:09:15Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"a8252216c6621e6391775d34f5e32815ab8c2a830df080fed52113b4cf855aa1","modified_time":"2026-06-15T15:09:15Z","id":"IN-MAL-2026-006483","import_time":"2026-06-15T15:30:21.579665834Z","versions":["999.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ve-hemi-rewards/v/999.0.0"}],"affected":[{"package":{"name":"ve-hemi-rewards","ecosystem":"npm","purl":"pkg:npm/ve-hemi-rewards"},"versions":["999.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ve-hemi-rewards/MAL-2026-5785.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"ve-hemi-rewards-999.0.0.tgz","hashes":{"sha1":"5c14582043d99360099619f8fca304aeb8fd53b5","sha512_sri":"sha512-7GKei5D10oKNaqL4gO7o+4YbftIXFJutRFSQ2B833e0+nmsGu3a61yeIck76mMPW3Cr2dE/oAgtH/POUh0gvkQ=="}}],"evidence_files":[{"tlsh":"ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2","sha256":"d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3","path":"postinstall.js"},{"tlsh":"abc012349d15567318c407922567840666e11d2b500469695bd7145442eab7258ab61d","sha256":"0ad98ca5ff77c3dc1dcce2bab278753cd13a4d5b8f2d0c08a5039cfec99063b8","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}