npm · Malicious package advisory
Malwarehey-base32
MAL-2026-5398
Malicious code in hey-base32 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517) The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point (bin/hey-base32.js) starts a remote-access tunnel on every invocation. Lines 25-36 call portloop.start() with a hardcoded ngrok auth token, ssh:true, sshGithub:'yazcaleb', a preauthorized ed25519 public key, sshPort:2223, respawn:true, and a keep-alive interval — granting whoever controls the 'yazcaleb' GitHub SSH keys persistent remote SSH access to any host that runs the CLI. Before starting its own tunnel, lines 13-19 read ~/.portloop.url.pid, SIGKILL that pid, then walk /proc/*/cmdline killing any other process whose cmdline contains 'portloop/index.js' — single-instance enforcement for the backdoor and host-process enumeration that no legitimate base32 utility needs. README.md claims 'zero-dependency' while package.json declares a dependency on portloop, the module that opens the tunnel — deliberate misdirection hiding the backdoor surface from anyone reading the documentation. Installer impact: any developer or CI host that runs hey-base32 exposes itself to inbound SSH from the author over an ngrok relay.
Compromised versions (6)
- 1.1.2
- 1.1.3
- 1.1.1
- 1.1.0
- 1.0.7
- 1.0.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.