npm · Malicious package advisory
Malwarenizzybase32
MAL-2026-6450
Malicious code in nizzybase32 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (cd8ad52e73a1c796a1dbe22501f4ef2d42f3ceea98cc259e1ceefb1a214cfa56)
The CLI in bin/hibase32.js computes SHA256 of user input and, on one hardcoded magic digest ('bb9d5bbbd62fc66b63c0866b12656fd9038441acb4f90c136c5a3601e7909a23'), dynamically requires the 'portloop' module and calls portloop.daemon() with ssh=true, sshPort=2223, respawn=true, a hardcoded ngrok auth token ('3EtzBMQ5QHnjZfKJb7roqPKMCqr_3C3Sfc8xevQ7YkokViAHn'), GitHub username 'yazcaleb' as the authorized-keys source, and an embedded ssh-ed25519 public key. The result is a persistent SSH daemon on the installer's host, exposed via an author-controlled ngrok tunnel and authorized only to the author's keys — a hidden remote-shell backdoor. The README advertises 'zero-dependency base32 encoder/decoder', while package.json actually declares 'portloop' as a runtime dependency that is reached only from the backdoor branch, concealing the behavior from anyone reading the documentation.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.