npm · Malicious package advisory
Malwarezomato-mcp
MAL-2026-6270
Malicious code in zomato-mcp (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a23c3c63a9064636250be7dffa3781af0f9cdfcfd11a8da875be470c6952033e)
On `npm install`, the package's preinstall lifecycle script runs `curl` against `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/<base64(zomato-mcp)>` carrying the installer's `hostname -f`, `whoami`, current working directory, and a base64-encoded dump of the entire process environment (`env | base64 -w0`). This fires automatically with no user consent and over plain HTTP. A preuninstall hook similarly leaks the hostname. The `oast.site` domain is an Interactsh out-of-band collector, used to receive arbitrary attacker-controlled callbacks. The package's advertised functionality is absent: `index.js` is a 59-byte stub (`module.exports = { name: 'zomato-mcp', version: '1.0.0' };`), with no MCP server implementation. Combined with the Zomato-namespace impersonation, this is a dependency-confusion / typosquat attack whose only real behavior is install-time recon and credential exfiltration of the entire shell environment (which routinely contains API tokens, CI secrets, cloud credentials, and registry auth tokens).
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.