VYPR

npm · Malicious package advisory

Malware

hyperpure-core

MAL-2026-6250

Malicious code in hyperpure-core (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (47dd43b980c7b5e3230ee57e6974d40804e54997ed88877ced301402dbcdef4c)
Package impersonates a Zomato internal namespace (name `hyperpure-core`, repository URL pointing to `github.com/zomato/hyperpure-core`) while shipping a 63-byte stub `index.js` that exports nothing functional. The package.json `preinstall` (and `preuninstall`) lifecycle script runs at `npm install` time and uses curl to POST the installer's `hostname -f`, `whoami`, current working directory, and the full `env` output (base64-encoded) to `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site` over plaintext HTTP. On CI / developer machines the captured environment routinely contains credential-grade values (AWS_*, NPM_TOKEN, GH_TOKEN, CI provider secrets), so this is unambiguous installer-side credential and host-identity exfiltration. The shape (internal-name impersonation + hollow module + env-leaking preinstall + OAST out-of-band callback) is a textbook dependency-confusion attack against Zomato build infrastructure.

## Source: ossf-package-analysis (1646c4910046d5c497ba97d75067f1b566f5bfe79ba938e0b9d06eda3b2eefa3)
The OpenSSF Package Analysis project identified 'hyperpure-core' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.