MAL-2026-5536

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0onedatetool/MAL-2026-5536.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5536

Published

2026-06-10T23:54:54Z

Modified

2026-06-11T00:16:29.242738389Z

Summary

Malicious code in zer0onedatetool (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52)

The postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated by Burp Collaborator / Project Discovery's interactsh. On every npm install, the script triggers an outbound HTTP request to an attacker-controlled OOB endpoint, which is the canonical fingerprint of a dependency-confusion / supply-chain reconnaissance payload (verifying the package landed in a victim environment and beaconing identifying host information out). The destination is not associated with any legitimate package functionality. Installer impact: any machine running npm install on this package automatically beacons to the attacker's OOB collector, leaking install-time host metadata and confirming code execution to the attacker.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005327",
            "versions": [
                "1.0.0"
            ],
            "sha256": "73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:54:54Z",
            "import_time": "2026-06-11T00:00:59.04321931Z"
        }
    ]
}

References

https://www.npmjs.com/package/zer0onedatetool/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / zer0onedatetool

Package

Name: zer0onedatetool; View open source insights on deps.dev
Purl: pkg:npm/zer0onedatetool

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "64854f57fe007507249a9b578bc1877c7b245af744e2d8479ed8b3dccffacfb5",
            "tlsh": "24018e993260b9366d824e79e37a030ef400f9172ec46f94c1a608f08889a21f069b18"
        }
    ],
    "package_integrity": [
        {
            "filename": "zer0onedatetool-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-a8RajLB52riEfxtK5tMlXGl9MkA9aWnuldZCJgvbDwAPDs6Ji9d4RHrKwDOoiZNeUwfMLJOR0xXbRPcWnID+UQ==",
                "sha1": "3bc0de20c567713d5611d1dca579d24e8b5fd40e"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0onedatetool/MAL-2026-5536.json"