VYPR

npm · Malicious package advisory

Malware

zer0onedatetool

MAL-2026-5536

Malicious code in zer0onedatetool (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52)
The postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated by Burp Collaborator / Project Discovery's interactsh. On every npm install, the script triggers an outbound HTTP request to an attacker-controlled OOB endpoint, which is the canonical fingerprint of a dependency-confusion / supply-chain reconnaissance payload (verifying the package landed in a victim environment and beaconing identifying host information out). The destination is not associated with any legitimate package functionality. Installer impact: any machine running `npm install` on this package automatically beacons to the attacker's OOB collector, leaking install-time host metadata and confirming code execution to the attacker.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.