{"id":"MAL-2026-5536","summary":"Malicious code in zer0onedatetool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52)\nThe postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated by Burp Collaborator / Project Discovery's interactsh. On every npm install, the script triggers an outbound HTTP request to an attacker-controlled OOB endpoint, which is the canonical fingerprint of a dependency-confusion / supply-chain reconnaissance payload (verifying the package landed in a victim environment and beaconing identifying host information out). The destination is not associated with any legitimate package functionality. Installer impact: any machine running `npm install` on this package automatically beacons to the attacker's OOB collector, leaking install-time host metadata and confirming code execution to the attacker.\n","modified":"2026-06-11T00:16:29.242738389Z","published":"2026-06-10T23:54:54Z","database_specific":{"malicious-packages-origins":[{"sha256":"73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52","import_time":"2026-06-11T00:00:59.04321931Z","source":"amazon-inspector","id":"IN-MAL-2026-005327","versions":["1.0.0"],"modified_time":"2026-06-10T23:54:54Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/zer0onedatetool/v/1.0.0"}],"affected":[{"package":{"name":"zer0onedatetool","ecosystem":"npm","purl":"pkg:npm/zer0onedatetool"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0onedatetool/MAL-2026-5536.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-a8RajLB52riEfxtK5tMlXGl9MkA9aWnuldZCJgvbDwAPDs6Ji9d4RHrKwDOoiZNeUwfMLJOR0xXbRPcWnID+UQ==","sha1":"3bc0de20c567713d5611d1dca579d24e8b5fd40e"},"filename":"zer0onedatetool-1.0.0.tgz"}],"evidence_files":[{"path":"postinstall.js","tlsh":"24018e993260b9366d824e79e37a030ef400f9172ec46f94c1a608f08889a21f069b18","sha256":"64854f57fe007507249a9b578bc1877c7b245af744e2d8479ed8b3dccffacfb5"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}