npm · Malicious package advisory
Malwarezomato-config
MAL-2026-6251
Malicious code in zomato-config (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3a1b48a397992964f8f3982dc69a33431bfb26c911c29a1e5d124581cef46a40)
Dependency-confusion package targeting an internal Zomato namespace. The package ships only a stub index.js (`module.exports = { name: 'zomato-config', version: '1.0.0' }`) with no real functionality. Its package.json `preinstall` lifecycle hook runs `curl` to POST `hostname`, `whoami`, `pwd`, and the full process environment (base64-encoded via `env | base64 -w0`) to `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/...`. This fires automatically on `npm install` and leaks any environment-variable secrets present at install time (CI tokens, cloud credentials, npm/GitHub tokens) to an attacker-controlled out-of-band interaction host. The shape (empty payload + recon beacon to oast.site + internal-sounding name) matches a dependency-confusion reconnaissance / exfiltration package.
## Source: ossf-package-analysis (4e8030ae84d02e1ee751b187b393636548810d1142b9272c85efc7f6bf030629)
The OpenSSF Package Analysis project identified 'zomato-config' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.