MAL-2026-5535

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0onedate/MAL-2026-5535.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5535

Published

2026-06-10T23:55:02Z

Modified

2026-06-11T00:16:29.218824391Z

Summary

Malicious code in zer0onedate (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (106494bfe4420962c30d8b3989a1397d197f277079c71b8d15695c9128d72399)

On npm install, postinstall.js executes a chain of curl commands that read cloud instance metadata service (IMDS) endpoints — AWS (169.254.169.254/latest/meta-data/iam/security-credentials/), Alibaba/Aliyun and Tencent metadata hosts, plus 100.100.100.200 and 169.254.0.23 — and writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/meituan.txt. It also probes an internal-looking SSRF endpoint at https://mtsrc-test.sankuai.com/ssrf and lists /data/. The aggregated contents are POSTed via curl -X POST -d to http://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata, an attacker-controlled Burp Collaborator subdomain. Any installer running in AWS/Aliyun/Tencent cloud (CI runners, build agents, cloud dev VMs) leaks temporary IAM credentials from IMDS to the attacker, who can then pivot into the victim's cloud account. The targeting of Meituan-internal infrastructure (sankuai.com) plus multiple non-standard cloud metadata IPs indicates deliberate reconnaissance, not opportunistic theft.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005329",
            "versions": [
                "1.0.0"
            ],
            "sha256": "106494bfe4420962c30d8b3989a1397d197f277079c71b8d15695c9128d72399",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:55:15Z",
            "import_time": "2026-06-11T00:00:59.231341291Z"
        },
        {
            "id": "IN-MAL-2026-005328",
            "import_time": "2026-06-11T00:00:59.116812182Z",
            "sha256": "d6d3b1cca8ae0369474912f980f89947449995895ed0238ac2444063dbd957e1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:55:02Z",
            "versions": [
                "1.0.2"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / zer0onedate

Package

Name: zer0onedate; View open source insights on deps.dev
Purl: pkg:npm/zer0onedate

Affected ranges

Affected versions

1.*

1.0.0

1.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0onedate/MAL-2026-5535.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "9d8d2cd48eda895baf0e8ab87b60534ea8d1d7242e06303ae3617f223747a151",
            "tlsh": "f9018e983611b9726d865f7ad379030ef400f95b1fc4ab94c2a61cf0494da61f06db08"
        }
    ],
    "package_integrity": [
        {
            "filename": "zer0onedate-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-moIirCOoF2AhWJm3oqnDecmfquLY/HU+EQtcCKyh2B8wZ7TjcYThPZzEkcVforrxQ4qCkzDxCtoRFPaI9i1Swg==",
                "sha1": "81a574eb90087330b35e5211170c74ae802f1822"
            }
        }
    ]
}