{"id":"MAL-2026-5328","summary":"Malicious code in @zimmo/last_search (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dbddb0ebcd12d13ef5eb1f2cb4e0e41f49b00808e4d23a15b5c22b7ecb23da4d)\nThe package's preinstall hook runs index.js on every `npm install`. The script collects host identity data — `os.hostname()`, `os.userInfo().username`, `__dirname`, `process.cwd()`, and the package name — and ships it two ways: (1) hex-encoded into a DNS subdomain resolved against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an interactsh out-of-band canary), and (2) POSTed as JSON to the hardcoded bare IP `http://172.201.213.59:9090/c`. The package has no legitimate functionality — index.js is an exfiltration-only payload. The inflated `99.0.0` version under the `@zimmo` scope, combined with the `\"security research\"` description and recon-only payload, is the canonical dependency-confusion shape: if a build pipeline at Zimmo (or a misconfigured installer) resolves the `@zimmo/last_search` name from the public npm registry instead of an internal one, the attacker receives internal hostnames, usernames, and install paths as reconnaissance for a follow-on attack.\n\n## Source: ossf-package-analysis (daa94c8fc8cb74e07464808cfbe936d15c1f9814981aaa7c41264d6246edfae4)\nThe OpenSSF Package Analysis project identified '@zimmo/last_search' @ 99.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-09T19:01:27.944713930Z","published":"2026-06-08T14:12:57Z","database_specific":{"malicious-packages-origins":[{"sha256":"daa94c8fc8cb74e07464808cfbe936d15c1f9814981aaa7c41264d6246edfae4","versions":["99.0.1"],"modified_time":"2026-06-08T14:12:57Z","source":"ossf-package-analysis","import_time":"2026-06-08T15:12:42.650710601Z"},{"sha256":"b0e62dfc62acaf0f69f0018d2bee0f4527101e48f40f5ada130c121c63ab3eb4","versions":["99.0.1"],"modified_time":"2026-06-09T17:39:16Z","id":"IN-MAL-2026-005091","source":"amazon-inspector","import_time":"2026-06-09T17:45:54.099491912Z"},{"sha256":"784a754db3832d4780cf81f16822bee7ae74ad6a179ea9ad15bc6b1242c21b76","versions":["99.0.1"],"modified_time":"2026-06-09T17:39:16Z","id":"IN-MAL-2026-005092","source":"amazon-inspector","import_time":"2026-06-09T17:45:54.144997139Z"},{"versions":["99.0.0"],"sha256":"214ca80a464f10ce622ce1308b40f070a5e86690c8450e3b18da1379693891fc","modified_time":"2026-06-09T17:55:19Z","id":"IN-MAL-2026-005145","source":"amazon-inspector","import_time":"2026-06-09T18:50:19.317658578Z"},{"versions":["99.0.0"],"sha256":"dbddb0ebcd12d13ef5eb1f2cb4e0e41f49b00808e4d23a15b5c22b7ecb23da4d","modified_time":"2026-06-09T17:55:18Z","id":"IN-MAL-2026-005144","source":"amazon-inspector","import_time":"2026-06-09T18:50:19.261999998Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@zimmo/last_search/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@zimmo/last_search/v/99.0.0"}],"affected":[{"package":{"name":"@zimmo/last_search","ecosystem":"npm","purl":"pkg:npm/%40zimmo%2Flast_search"},"versions":["99.0.1","99.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"last_search-99.0.1.tgz","hashes":{"sha512_sri":"sha512-1QiGafT/1uPgO5/C6hD1qL7BUh5sswh2p1t6SPn++6x9ogXnUOw7p1zxcectgckAIFMoHbcABkGW2HwV6pYx0A==","sha1":"0e203cf2d74b064377c34283f526b7f7cff8f7e0"}}],"domains":["7b2268223a227363616e2d333739396633333135346362222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f407a696d6d6f2f6c6173745f736561726368222c2263223a22.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"],"evidence_files":[{"sha256":"64375805b0cdd184eef346b81659c4dfa3a36a2ae2de3a84ea7105521f3dc7b2","tlsh":"63f0e1e161a0d0f9dbb095d0bdd4768457b3d696b04288f0dc4d0fcf5ac28d05db69e1","path":"index.js"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zimmo/last_search/MAL-2026-5328.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}