Which versions of ve-hemi-rewards are malicious?

The following npm versions of ve-hemi-rewards are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate ve-hemi-rewards if I installed it?

Remove ve-hemi-rewards from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ve-hemi-rewards part of a known attack campaign?

Yes — ve-hemi-rewards is associated with the IN-MAL-2026-006483 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ve-hemi-rewards in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ve-hemi-rewards and packages like it before any post-install script runs.

Malicious package

ve-hemi-rewardsnpm

Malicious code in ve-hemi-rewards (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5785

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ve-hemi-rewards

What this malware does

On npm install, the package's preinstall lifecycle invokes postinstall.js, which collects hostname, username, and current working directory, then iterates process.env and filters keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i. The matching key/value pairs (CI tokens, cloud credentials, SSH/deploy keys, RPC and wallet secrets, etc.) are JSON-serialized and POSTed over HTTPS to a hardcoded bare IP, 185.130.46.35:8443/collect. The package name 've-hemi-rewards' at version 999.0.0 with description 'Internal package' is a classic dependency-confusion shape — a high-version stub published to the public registry to override resolution of an organization's private package of the same name. There is no legitimate functionality; the package exists to harvest installer secrets.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

a8252216c6621e6391775d34f5e32815ab8c2a830df080fed52113b4cf855aa1

Frequently asked questions

No. ve-hemi-rewards on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006483

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection