npm · Malicious package advisory
Malwarezer0onedate
MAL-2026-5535
Malicious code in zer0onedate (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (106494bfe4420962c30d8b3989a1397d197f277079c71b8d15695c9128d72399) On `npm install`, postinstall.js executes a chain of `curl` commands that read cloud instance metadata service (IMDS) endpoints — AWS (169.254.169.254/latest/meta-data/iam/security-credentials/), Alibaba/Aliyun and Tencent metadata hosts, plus 100.100.100.200 and 169.254.0.23 — and writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/meituan.txt. It also probes an internal-looking SSRF endpoint at https://mtsrc-test.sankuai.com/ssrf and lists /data/. The aggregated contents are POSTed via `curl -X POST -d` to http://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata, an attacker-controlled Burp Collaborator subdomain. Any installer running in AWS/Aliyun/Tencent cloud (CI runners, build agents, cloud dev VMs) leaks temporary IAM credentials from IMDS to the attacker, who can then pivot into the victim's cloud account. The targeting of Meituan-internal infrastructure (sankuai.com) plus multiple non-standard cloud metadata IPs indicates deliberate reconnaissance, not opportunistic theft.
Compromised versions (2)
- 1.0.0
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.