npm · Malicious package advisory
Malwarezomato-server
MAL-2026-6253
Malicious code in zomato-server (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f0a12373009dd17131e45f4d20570904f2b8074367ee8b121e60a3ce5764fa00)
The package's package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami, current working directory, and a base64-encoded dump of the full process environment to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site over plain HTTP. The destination is an Interactsh-style out-of-band collection subdomain unrelated to any legitimate Zomato infrastructure. This fires automatically on `npm install` without user consent, leaking any credentials, tokens, or secrets present in environment variables (CI tokens, npm auth, AWS keys, etc.). The package itself ships only a 62-byte stub index.js exporting { name, version } and impersonates the Zomato brand (description 'Zomato server-side utilities', repo pointing at github.com/zomato/zomato-server), consistent with a dependency-confusion lure targeting Zomato internal builds.
## Source: ossf-package-analysis (f8a4a2681c8fa36379b138cad816cffb627b9e8095e5fe3cbd5a144075efe1da)
The OpenSSF Package Analysis project identified 'zomato-server' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.