npm · Malicious package advisory
Malwarezomato-logger
MAL-2026-6252
Malicious code in zomato-logger (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3dccb8b8b32337c2a257a763c273e03367ec07c904b5db0c07dbf514d546709d)
On `npm install`, the package's preinstall lifecycle script in package.json runs curl to POST the installer's hostname, current user (whoami), working directory, and the entire environment (base64-encoded `env` output) to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/<base64-pkg> over plain HTTP. The destination is an Interactsh / oast.site out-of-band collaborator subdomain — infrastructure used to capture exfiltrated data from victim hosts. The package itself is a hollow stub (index.js exports only `{ name, version }`), and the metadata (`description: "Zomato logging library"`, repo URL git+https://github.com/zomato/zomato-logger.git) impersonates Zomato, consistent with a dependency-confusion attack targeting an org-internal package name. Any host that resolves and installs this package leaks every environment variable (including any CI secrets, tokens, and credentials present in the build environment) to the attacker.
## Source: ossf-package-analysis (637e09431107722f9603562638df114fcb31994e21ead800ccd63a666f65bea3)
The OpenSSF Package Analysis project identified 'zomato-logger' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.