MAL-2026-6254

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-sushi/MAL-2026-6254.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6254

Published

2026-06-21T16:11:12Z

Modified

2026-06-22T18:31:22.938725507Z

Summary

Malicious code in zomato-sushi (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c)

package.json declares a preinstall script that runs curl with form-encoded fields carrying the installer's hostname (hostname -f), whoami, current working directory, and a base64-encoded dump of the entire process environment (env | base64 -w0) over plain HTTP to an Interactsh/OAST out-of-band collector at d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site. A preuninstall hook beacons the same host. This fires automatically on npm install with no user opt-in. The bulk environment dump captures any secrets present in the shell at install time, including CI tokens, NPMTOKEN, AWS* keys, and similar credentials. The package name mimics Zomato's design system namespace and the shipped index.js is a stub with no functionality, consistent with a reconnaissance/credential-capture lure rather than a real library.

Source: ossf-package-analysis (d19be1ee4f53b1ec4844c228d9522d737756870743ef43a9d00816950b449233)

The OpenSSF Package Analysis project identified 'zomato-sushi' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "ossf-package-analysis",
            "versions": [
                "1.0.0"
            ],
            "sha256": "d19be1ee4f53b1ec4844c228d9522d737756870743ef43a9d00816950b449233",
            "modified_time": "2026-06-21T16:11:12Z",
            "import_time": "2026-06-21T16:38:03.002679704Z"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "sha256": "6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c",
            "modified_time": "2026-06-22T17:42:31Z",
            "import_time": "2026-06-22T18:25:28.96204688Z",
            "id": "IN-MAL-2026-007149"
        }
    ]
}

References

https://www.npmjs.com/package/zomato-sushi/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / zomato-sushi

Package

Name: zomato-sushi; View open source insights on deps.dev
Purl: pkg:npm/zomato-sushi

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "zomato-sushi-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-flCjZerwq7C0NTeufuIWAfWqlzVV+UdBAjpodCWEQ7LA8ddiMn49z5RdFMxKTj8W8S9Asf+fqGRb64P8IA4aGw==",
                "sha1": "7535041b8d1508abb2b3ee1b22e332da992a3546"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "59733c4859d2b7323d7d5e3512e306c9bb3b27ee3ab73150d7f662efe023d1e9",
            "tlsh": "a401893679389623bdcc4770bd5a24293c612f4f88352c049b9f222ec28f255237e622",
            "path": "package.json"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-sushi/MAL-2026-6254.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]