npm · Malicious package advisory
Malwarehyperpure-core
MAL-2026-6250
Malicious code in hyperpure-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (47dd43b980c7b5e3230ee57e6974d40804e54997ed88877ced301402dbcdef4c) Package impersonates a Zomato internal namespace (name `hyperpure-core`, repository URL pointing to `github.com/zomato/hyperpure-core`) while shipping a 63-byte stub `index.js` that exports nothing functional. The package.json `preinstall` (and `preuninstall`) lifecycle script runs at `npm install` time and uses curl to POST the installer's `hostname -f`, `whoami`, current working directory, and the full `env` output (base64-encoded) to `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site` over plaintext HTTP. On CI / developer machines the captured environment routinely contains credential-grade values (AWS_*, NPM_TOKEN, GH_TOKEN, CI provider secrets), so this is unambiguous installer-side credential and host-identity exfiltration. The shape (internal-name impersonation + hollow module + env-leaking preinstall + OAST out-of-band callback) is a textbook dependency-confusion attack against Zomato build infrastructure. ## Source: ossf-package-analysis (1646c4910046d5c497ba97d75067f1b566f5bfe79ba938e0b9d06eda3b2eefa3) The OpenSSF Package Analysis project identified 'hyperpure-core' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.