VYPR

npm · Malicious package advisory

Malware

zer0one-dnslog

MAL-2026-5366

Malicious code in zer0one-dnslog (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (903c45d49e6716373a67196c41e8acfbf8afa3320a635380ffe3403e8f127605)
The package is published as a 'simple date formatting utility' but ships a postinstall payload that, on `npm install`, runs a curl pipeline against cloud instance-metadata services to harvest temporary IAM credentials and internal SSRF data, then POSTs the collected output to an attacker-controlled out-of-band host. Specifically, postinstall.js issues curls to AWS metadata at 169.254.169.254 (IAM security-credentials path), Aliyun at 100.100.100.200, Tencent at metadata.tencentyun.com / 169.254.0.23, and Meituan-internal mtsrc-test.sankuai.com, writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/tx.txt, /tmp/tx2.txt, and uploads them via `curl -X POST` to https://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata along with a listing of /data/. package.json declares `"postinstall": "node postinstall.js"`, so the harvest fires automatically on default install. On any cloud build host or CI runner this leaks role credentials with full AWS/Aliyun/Tencent access. The advertised purpose mismatches the shipped behavior (index.js is a one-line hello stub), confirming the package is a lure for credential theft, not a date utility.

## Source: ossf-package-analysis (61ff41f8e8f8f87ab7d1d60d8bed288957cbfa3352dfc6478b12f628c93c51c9)
The OpenSSF Package Analysis project identified 'zer0one-dnslog' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Compromised versions (10)

  • 1.0.0
  • 1.0.4
  • 1.0.3
  • 1.0.6
  • 1.0.2
  • 1.0.7
  • 1.0.1
  • 1.0.8
  • 1.0.5
  • 1.0.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.