MAL-2026-6268

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-core/MAL-2026-6268.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6268

Published

2026-06-22T17:42:28Z

Modified

2026-06-22T18:31:22.526805293Z

Summary

Malicious code in zomato-core (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d5042b2ca8b8b3ba1f073344762615dc532864913af3f54a16540d44dde97ba5)

package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami output, current working directory, and the entire base64-encoded process environment to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/<base64-package-name> over plaintext HTTP. This fires automatically on npm install with no user opt-in, leaking host identity and any secrets present in environment variables (CI tokens, AWS/GCP credentials, npm publish tokens, etc.). The package has no functional content — index.js is a one-line stub exporting { name: 'zomato-core', version: '1.0.0' } — so the package exists solely as the exfiltration vehicle. The name and description impersonate an internal Zomato namespace (zomato-core, described as 'Zomato core utility library', repository github.com/zomato/zomato-core), consistent with a dependency-confusion attack against Zomato engineers and CI whose private internal zomato-core may resolve to this public registry copy.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "d5042b2ca8b8b3ba1f073344762615dc532864913af3f54a16540d44dde97ba5",
            "import_time": "2026-06-22T18:25:28.604462605Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:42:28Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007145"
        }
    ]
}

References

https://www.npmjs.com/package/zomato-core/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / zomato-core

Package

Name: zomato-core; View open source insights on deps.dev
Purl: pkg:npm/zomato-core

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "zomato-core-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-5JUXBGS8kWcAVQ66kO54xdxgJ9NskRBgIQJeFOFtGys4MjaEnN+7hNIXDKyeTyebWe+U4X95aaLR4BvFTMf9fA==",
                "sha1": "eefce3d6f8b52e566aea704e1b4bcfbba9e8578e"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e79ed065ff7dd48d6176435c1c651b99176ee2de3bdd3a027d817e8fddb9cb83",
            "tlsh": "0e01fd78783496333fcc0271bd5a002d3c65bf0f84742c006e9b051d86cf219226d72a",
            "path": "package.json"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-core/MAL-2026-6268.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]