MAL-2026-5328

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zimmo/last_search/MAL-2026-5328.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5328

Published

2026-06-08T14:12:57Z

Modified

2026-06-09T19:01:27.944713930Z

Summary

Malicious code in @zimmo/last_search (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dbddb0ebcd12d13ef5eb1f2cb4e0e41f49b00808e4d23a15b5c22b7ecb23da4d)

The package's preinstall hook runs index.js on every npm install. The script collects host identity data — os.hostname(), os.userInfo().username, __dirname, process.cwd(), and the package name — and ships it two ways: (1) hex-encoded into a DNS subdomain resolved against *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an interactsh out-of-band canary), and (2) POSTed as JSON to the hardcoded bare IP http://172.201.213.59:9090/c. The package has no legitimate functionality — index.js is an exfiltration-only payload. The inflated 99.0.0 version under the @zimmo scope, combined with the "security research" description and recon-only payload, is the canonical dependency-confusion shape: if a build pipeline at Zimmo (or a misconfigured installer) resolves the @zimmo/last_search name from the public npm registry instead of an internal one, the attacker receives internal hostnames, usernames, and install paths as reconnaissance for a follow-on attack.

Source: ossf-package-analysis (daa94c8fc8cb74e07464808cfbe936d15c1f9814981aaa7c41264d6246edfae4)

The OpenSSF Package Analysis project identified '@zimmo/last_search' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-08T15:12:42.650710601Z",
            "versions": [
                "99.0.1"
            ],
            "sha256": "daa94c8fc8cb74e07464808cfbe936d15c1f9814981aaa7c41264d6246edfae4",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-08T14:12:57Z"
        },
        {
            "modified_time": "2026-06-09T17:39:16Z",
            "versions": [
                "99.0.1"
            ],
            "sha256": "b0e62dfc62acaf0f69f0018d2bee0f4527101e48f40f5ada130c121c63ab3eb4",
            "id": "IN-MAL-2026-005091",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:54.099491912Z"
        },
        {
            "import_time": "2026-06-09T17:45:54.144997139Z",
            "versions": [
                "99.0.1"
            ],
            "sha256": "784a754db3832d4780cf81f16822bee7ae74ad6a179ea9ad15bc6b1242c21b76",
            "id": "IN-MAL-2026-005092",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:39:16Z"
        },
        {
            "modified_time": "2026-06-09T17:55:19Z",
            "versions": [
                "99.0.0"
            ],
            "sha256": "214ca80a464f10ce622ce1308b40f070a5e86690c8450e3b18da1379693891fc",
            "id": "IN-MAL-2026-005145",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:19.317658578Z"
        },
        {
            "modified_time": "2026-06-09T17:55:18Z",
            "versions": [
                "99.0.0"
            ],
            "sha256": "dbddb0ebcd12d13ef5eb1f2cb4e0e41f49b00808e4d23a15b5c22b7ecb23da4d",
            "id": "IN-MAL-2026-005144",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:19.261999998Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / @zimmo/last_search

Package

Name: @zimmo/last_search; View open source insights on deps.dev
Purl: pkg:npm/%40zimmo%2Flast_search

Affected ranges

Affected versions

99.*

99.0.0

99.0.1

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "64375805b0cdd184eef346b81659c4dfa3a36a2ae2de3a84ea7105521f3dc7b2",
            "tlsh": "63f0e1e161a0d0f9dbb095d0bdd4768457b3d696b04288f0dc4d0fcf5ac28d05db69e1",
            "path": "index.js"
        }
    ],
    "domains": [
        "7b2268223a227363616e2d333739396633333135346362222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f407a696d6d6f2f6c6173745f736561726368222c2263223a22.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
    ],
    "package_integrity": [
        {
            "filename": "last_search-99.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-1QiGafT/1uPgO5/C6hD1qL7BUh5sswh2p1t6SPn++6x9ogXnUOw7p1zxcectgckAIFMoHbcABkGW2HwV6pYx0A==",
                "sha1": "0e203cf2d74b064377c34283f526b7f7cff8f7e0"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zimmo/last_search/MAL-2026-5328.json"