VYPR

npm · Malicious package advisory

Malware

zomato-sushi

MAL-2026-6254

Malicious code in zomato-sushi (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c)
package.json declares a preinstall script that runs curl with form-encoded fields carrying the installer's hostname (`hostname -f`), `whoami`, current working directory, and a base64-encoded dump of the entire process environment (`env | base64 -w0`) over plain HTTP to an Interactsh/OAST out-of-band collector at `d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site`. A preuninstall hook beacons the same host. This fires automatically on `npm install` with no user opt-in. The bulk environment dump captures any secrets present in the shell at install time, including CI tokens, NPM_TOKEN, AWS_* keys, and similar credentials. The package name mimics Zomato's design system namespace and the shipped index.js is a stub with no functionality, consistent with a reconnaissance/credential-capture lure rather than a real library.

## Source: ossf-package-analysis (d19be1ee4f53b1ec4844c228d9522d737756870743ef43a9d00816950b449233)
The OpenSSF Package Analysis project identified 'zomato-sushi' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.