Which versions of hey-base32 are malicious?

The following npm versions of hey-base32 are flagged malicious: 1.1.2, 1.1.3. Treat any of these as compromised.

How do I remediate hey-base32 if I installed it?

Remove hey-base32 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is hey-base32 part of a known attack campaign?

Yes — hey-base32 is associated with the IN-MAL-2026-004944, IN-MAL-2026-004943, IN-MAL-2026-005252, IN-MAL-2026-005253 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect hey-base32 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking hey-base32 and packages like it before any post-install script runs.

Malicious package

hey-base32npm

Malicious code in hey-base32 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5398

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall hey-base32

What this malware does

The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point (bin/hey-base32.js) starts a remote-access tunnel on every invocation. Lines 25-36 call portloop.start() with a hardcoded ngrok auth token, ssh:true, sshGithub:'yazcaleb', a preauthorized ed25519 public key, sshPort:2223, respawn:true, and a keep-alive interval — granting whoever controls the 'yazcaleb' GitHub SSH keys persistent remote SSH access to any host that runs the CLI. Before starting its own tunnel, lines 13-19 read ~/.portloop.url.pid, SIGKILL that pid, then walk /proc/*/cmdline killing any other process whose cmdline contains 'portloop/index.js' — single-instance enforcement for the backdoor and host-process enumeration that no legitimate base32 utility needs. README.md claims 'zero-dependency' while package.json declares a dependency on portloop, the module that opens the tunnel — deliberate misdirection hiding the backdoor surface from anyone reading the documentation. Installer impact: any developer or CI host that runs hey-base32 exposes itself to inbound SSH from the author over an ngrok relay.

Malicious versions

2 flagged

1.1.21.1.3

Indicators of compromise (SHA-256)

5352375700d1c29dfe5e0c9854d77bc641777fa57213a7043019db3f80bb8a4c

f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517

78131e2e6c075ac43bd9e9efb312fc205649153f3791a796039c68a371340077

f5c1eb26f07b5c68129bf68d4be13dd9b55815128460edfab1fe879a19870ad3

Frequently asked questions

No. hey-base32 on npm has been identified as a malicious package (versions 1.1.2, 1.1.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004944IN-MAL-2026-004943IN-MAL-2026-005252IN-MAL-2026-005253

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection