VYPR

npm · Malicious package advisory

Malware

ihubinternal

MAL-2026-4584

Malicious code in ihubinternal (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8d05496a74a52542f8bf237430ae41377eb71e3710b41abfcc1f7b5cf3642885)
The package exports a VelocityAuth() function that, when called by integrating applications, sends end-user Solana wallet public keys, signed nonces/signatures, precise GPS coordinates (latitude/longitude), and any JWT stored under localStorage key `vjwt` to the hardcoded URL `https://itsxpulse-401.hf.space/x401_auth` (dist/index.js line 2). The destination is an anonymous HuggingFace Space with `Velocity`/`VELOCITY401`/`x401` branding that does not correspond to the npm publisher (`immutablehub`/`ihubinternal`). The README contains only the text `### INTERNAL AUTH PKG` and does not document the remote endpoint, the data fields transmitted, or the integration model. Any application that wires this SDK into an authentication flow ends up forwarding its end-users' wallet credentials and location data to a third-party host the integrator cannot inspect or audit. This is the silent-relay shape: a package whose advertised API hard-codes a destination such that normal use leaks caller-supplied (and end-user) data to that destination.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.