npm · Malicious package advisory
Malwarezer0one-dnslog
MAL-2026-5366
Malicious code in zer0one-dnslog (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (903c45d49e6716373a67196c41e8acfbf8afa3320a635380ffe3403e8f127605) The package is published as a 'simple date formatting utility' but ships a postinstall payload that, on `npm install`, runs a curl pipeline against cloud instance-metadata services to harvest temporary IAM credentials and internal SSRF data, then POSTs the collected output to an attacker-controlled out-of-band host. Specifically, postinstall.js issues curls to AWS metadata at 169.254.169.254 (IAM security-credentials path), Aliyun at 100.100.100.200, Tencent at metadata.tencentyun.com / 169.254.0.23, and Meituan-internal mtsrc-test.sankuai.com, writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/tx.txt, /tmp/tx2.txt, and uploads them via `curl -X POST` to https://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata along with a listing of /data/. package.json declares `"postinstall": "node postinstall.js"`, so the harvest fires automatically on default install. On any cloud build host or CI runner this leaks role credentials with full AWS/Aliyun/Tencent access. The advertised purpose mismatches the shipped behavior (index.js is a one-line hello stub), confirming the package is a lure for credential theft, not a date utility. ## Source: ossf-package-analysis (61ff41f8e8f8f87ab7d1d60d8bed288957cbfa3352dfc6478b12f628c93c51c9) The OpenSSF Package Analysis project identified 'zer0one-dnslog' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
Compromised versions (10)
- 1.0.0
- 1.0.4
- 1.0.3
- 1.0.6
- 1.0.2
- 1.0.7
- 1.0.1
- 1.0.8
- 1.0.5
- 1.0.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.