npm · Malicious package advisory
Malwarezomato-sushi
MAL-2026-6254
Malicious code in zomato-sushi (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c) package.json declares a preinstall script that runs curl with form-encoded fields carrying the installer's hostname (`hostname -f`), `whoami`, current working directory, and a base64-encoded dump of the entire process environment (`env | base64 -w0`) over plain HTTP to an Interactsh/OAST out-of-band collector at `d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site`. A preuninstall hook beacons the same host. This fires automatically on `npm install` with no user opt-in. The bulk environment dump captures any secrets present in the shell at install time, including CI tokens, NPM_TOKEN, AWS_* keys, and similar credentials. The package name mimics Zomato's design system namespace and the shipped index.js is a stub with no functionality, consistent with a reconnaissance/credential-capture lure rather than a real library. ## Source: ossf-package-analysis (d19be1ee4f53b1ec4844c228d9522d737756870743ef43a9d00816950b449233) The OpenSSF Package Analysis project identified 'zomato-sushi' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.