{"id":"MAL-2026-6250","summary":"Malicious code in hyperpure-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (47dd43b980c7b5e3230ee57e6974d40804e54997ed88877ced301402dbcdef4c)\nPackage impersonates a Zomato internal namespace (name `hyperpure-core`, repository URL pointing to `github.com/zomato/hyperpure-core`) while shipping a 63-byte stub `index.js` that exports nothing functional. The package.json `preinstall` (and `preuninstall`) lifecycle script runs at `npm install` time and uses curl to POST the installer's `hostname -f`, `whoami`, current working directory, and the full `env` output (base64-encoded) to `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site` over plaintext HTTP. On CI / developer machines the captured environment routinely contains credential-grade values (AWS_*, NPM_TOKEN, GH_TOKEN, CI provider secrets), so this is unambiguous installer-side credential and host-identity exfiltration. The shape (internal-name impersonation + hollow module + env-leaking preinstall + OAST out-of-band callback) is a textbook dependency-confusion attack against Zomato build infrastructure.\n\n## Source: ossf-package-analysis (1646c4910046d5c497ba97d75067f1b566f5bfe79ba938e0b9d06eda3b2eefa3)\nThe OpenSSF Package Analysis project identified 'hyperpure-core' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-24T03:31:23.576135478Z","published":"2026-06-21T16:21:08Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"modified_time":"2026-06-21T16:21:08Z","source":"ossf-package-analysis","import_time":"2026-06-21T16:38:03.237191602Z","sha256":"1646c4910046d5c497ba97d75067f1b566f5bfe79ba938e0b9d06eda3b2eefa3"},{"modified_time":"2026-06-24T02:44:54Z","versions":["1.0.0"],"id":"IN-MAL-2026-007399","sha256":"47dd43b980c7b5e3230ee57e6974d40804e54997ed88877ced301402dbcdef4c","import_time":"2026-06-24T03:14:01.550177186Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hyperpure-core/v/1.0.0"}],"affected":[{"package":{"name":"hyperpure-core","ecosystem":"npm","purl":"pkg:npm/hyperpure-core"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hyperpure-core/MAL-2026-6250.json","indicators":{"evidence_files":[{"path":"package.json","sha256":"8274b3c72accc032639be59965255437eeca7b6f02b4c151f552442248c85405","tlsh":"8901c924693896b33d9c4a70ba2a406d7a617f0f84fc2c005e9b111d828f215232d72b"}],"package_integrity":[{"filename":"hyperpure-core-1.0.0.tgz","hashes":{"sha1":"f838ff03ee730fed3168e840e4245273472a4139","sha512_sri":"sha512-U0hVw+RveRgu1Ud8p4SUeWFa1qlGEA/mZv4Sx49OHNHRdRJyMfpz31B61JcsSN8AtpLlgdlTBNqpbo2tDZWAKw=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}