VYPR

npm · Malicious package advisory

Malware

zomato-server

MAL-2026-6253

Malicious code in zomato-server (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f0a12373009dd17131e45f4d20570904f2b8074367ee8b121e60a3ce5764fa00)
The package's package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami, current working directory, and a base64-encoded dump of the full process environment to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site over plain HTTP. The destination is an Interactsh-style out-of-band collection subdomain unrelated to any legitimate Zomato infrastructure. This fires automatically on `npm install` without user consent, leaking any credentials, tokens, or secrets present in environment variables (CI tokens, npm auth, AWS keys, etc.). The package itself ships only a 62-byte stub index.js exporting { name, version } and impersonates the Zomato brand (description 'Zomato server-side utilities', repo pointing at github.com/zomato/zomato-server), consistent with a dependency-confusion lure targeting Zomato internal builds.

## Source: ossf-package-analysis (f8a4a2681c8fa36379b138cad816cffb627b9e8095e5fe3cbd5a144075efe1da)
The OpenSSF Package Analysis project identified 'zomato-server' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.