-= Per source details. Do not edit below this line.=-
On npm install, the preinstall lifecycle script in package.json runs curl to POST the installer's hostname (hostname -f), current user (whoami), working directory (pwd), and a base64-encoded dump of the entire process environment (env | base64 -w0) over plain HTTP to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site, an interactsh-style out-of-band collector domain. The dumped environment commonly includes CI tokens, cloud credentials (AWS_*, GCP, Azure), npm publish tokens, and other secrets present at install time, so any installer running npm install hyperpure discloses those secrets to an attacker-controlled listener. The package itself is otherwise hollow — index.js only exports { name: 'hyperpure', version: '1.0.0' } — and the package metadata claims to be Zomato's internal hyperpure restaurant-supply-chain library, matching the shape of a dependency-confusion attack against an internal package name. The harm fires automatically on default install with no user opt-in.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-007418",
"modified_time": "2026-06-24T04:00:01Z",
"import_time": "2026-06-24T04:54:33.950172567Z",
"sha256": "96c5552a039e4d845c30fae8f2c376eed21309d6b5298193850594fe4b1854d0",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hyperpure/MAL-2026-6370.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"hashes": {
"sha1": "df30de7bc6149c258e8107a478f3496899d2d3cd",
"sha512_sri": "sha512-6rks1nAnleuNQYa3H66qDfAdjNhs4VKBYly/hns7xpVJ9y1n6xVNyO0Q3kHPTGd9U3Uy+LyVMMciOpLSPQYJSw=="
},
"filename": "hyperpure-1.0.0.tgz"
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "4759e16ed8dd42593fa3139959e61a2714f5f1bda4b6a0189ec1beaec3fa01f1",
"tlsh": "3b01c568a93896333d8c8b70ba6a446978613f4f847c2c045a9b112d828f216237db2a"
}
]
}