npm · Malicious package advisory
Malwareblinkit-core
MAL-2026-6249
Malicious code in blinkit-core (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2ca70b0a6be36daf245deb50dd6b3595a9bfba29c62770e82365152a02832cf8)
On `npm install`, the package's `preinstall` lifecycle hook runs `curl` against `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/` and POSTs the installer's hostname (`hostname -f`), current user (`whoami`), working directory, and a base64-encoded dump of the entire process environment (`env | base64 -w0`) — which on CI/build hosts routinely contains tokens, cloud credentials, and registry auth. The package itself is hollow: `index.js` only exports `{ name, version }` and provides no functionality. The `repository.url` claims `git+https://github.com/zomato/blinkit-core.git` while publishing under that internal-sounding name on the public registry, matching the canonical dependency-confusion attacker shape against Zomato's internal `blinkit-core` namespace. Installer harm: any build pipeline that resolves this public package instead of an internal mirror leaks host identity and the full environment (including secrets) to the attacker's out-of-band interaction listener at install time, before any other code runs.
## Source: ossf-package-analysis (304234c334dce7d26c040f318d608e24b53db9b0b7b0b27d3a6dd2c040481b15)
The OpenSSF Package Analysis project identified 'blinkit-core' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.