MAL-2026-6270

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-mcp/MAL-2026-6270.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6270

Published

2026-06-22T17:42:29Z

Modified

2026-06-22T18:31:22.628063739Z

Summary

Malicious code in zomato-mcp (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a23c3c63a9064636250be7dffa3781af0f9cdfcfd11a8da875be470c6952033e)

On npm install, the package's preinstall lifecycle script runs curl against http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/<base64(zomato-mcp)> carrying the installer's hostname -f, whoami, current working directory, and a base64-encoded dump of the entire process environment (env | base64 -w0). This fires automatically with no user consent and over plain HTTP. A preuninstall hook similarly leaks the hostname. The oast.site domain is an Interactsh out-of-band collector, used to receive arbitrary attacker-controlled callbacks. The package's advertised functionality is absent: index.js is a 59-byte stub (module.exports = { name: 'zomato-mcp', version: '1.0.0' };), with no MCP server implementation. Combined with the Zomato-namespace impersonation, this is a dependency-confusion / typosquat attack whose only real behavior is install-time recon and credential exfiltration of the entire shell environment (which routinely contains API tokens, CI secrets, cloud credentials, and registry auth tokens).

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a23c3c63a9064636250be7dffa3781af0f9cdfcfd11a8da875be470c6952033e",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:42:29Z",
            "id": "IN-MAL-2026-007147",
            "import_time": "2026-06-22T18:25:28.789678221Z"
        }
    ]
}

References

https://www.npmjs.com/package/zomato-mcp/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / zomato-mcp

Package

Name: zomato-mcp; View open source insights on deps.dev
Purl: pkg:npm/zomato-mcp

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "zomato-mcp-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-MjY+xQst59y5Mqdt38+dOw9xC++KQ5cBM2HuGgIJoO/XpDfzfgCtUKWfhmjjREBfL5rLfeu7IPrYAkYX66hy8Q==",
                "sha1": "f4b328815b9661f18f57b90cf9f5cc95eaee76a5"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "d5face80710194858af26d6bbc86157ca7fad9ffa614b70855cff03e0c3673c1",
            "tlsh": "d501c97579b497a37e8c4770beaa00693e682f9f80352c045e9f011d828f219226ea26",
            "path": "package.json"
        },
        {
            "sha256": "0a765ce5f56409e47c92b9adcd0303f51cc7ccfe41dfe31a79ad40d23558e5e6",
            "tlsh": "dca002a6c0e5a9db15558721994575477ba4454422116261558e5f445681d444105484",
            "path": "index.js"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-mcp/MAL-2026-6270.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]