Which versions of hemi-earn-actions are malicious?

The following npm versions of hemi-earn-actions are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate hemi-earn-actions if I installed it?

Remove hemi-earn-actions from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is hemi-earn-actions part of a known attack campaign?

Yes — hemi-earn-actions is associated with the IN-MAL-2026-006485 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect hemi-earn-actions in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking hemi-earn-actions and packages like it before any post-install script runs.

Malicious package

hemi-earn-actionsnpm

Malicious code in hemi-earn-actions (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5778

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall hemi-earn-actions

What this malware does

On npm install, the package's preinstall script (postinstall.js) collects host metadata (hostname, username, cwd, npm config) and iterates process.env, filtering keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i to harvest credential-shaped variables. The resulting JSON payload is POSTed over HTTPS to a hardcoded bare-IP endpoint, https://185.130.46.35:8443/collect. The package itself has no functional API — index.js is module.exports = {} — and the version 999.0.0 plus the description 'Internal package' fit the dependency-confusion pattern aimed at organizations that resolve a private name hemi-earn-actions from the public registry. Installer harm is automatic credential exfiltration of CI/developer secrets to attacker-controlled infrastructure.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c

Frequently asked questions

No. hemi-earn-actions on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006485

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection