VYPR

npm · Malicious package advisory

Malware

zomato-config

MAL-2026-6251

Malicious code in zomato-config (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3a1b48a397992964f8f3982dc69a33431bfb26c911c29a1e5d124581cef46a40)
Dependency-confusion package targeting an internal Zomato namespace. The package ships only a stub index.js (`module.exports = { name: 'zomato-config', version: '1.0.0' }`) with no real functionality. Its package.json `preinstall` lifecycle hook runs `curl` to POST `hostname`, `whoami`, `pwd`, and the full process environment (base64-encoded via `env | base64 -w0`) to `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/...`. This fires automatically on `npm install` and leaks any environment-variable secrets present at install time (CI tokens, cloud credentials, npm/GitHub tokens) to an attacker-controlled out-of-band interaction host. The shape (empty payload + recon beacon to oast.site + internal-sounding name) matches a dependency-confusion reconnaissance / exfiltration package.

## Source: ossf-package-analysis (4e8030ae84d02e1ee751b187b393636548810d1142b9272c85efc7f6bf030629)
The OpenSSF Package Analysis project identified 'zomato-config' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.