{"id":"MAL-2026-6370","summary":"Malicious code in hyperpure (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (96c5552a039e4d845c30fae8f2c376eed21309d6b5298193850594fe4b1854d0)\nOn `npm install`, the preinstall lifecycle script in package.json runs `curl` to POST the installer's hostname (`hostname -f`), current user (`whoami`), working directory (`pwd`), and a base64-encoded dump of the entire process environment (`env | base64 -w0`) over plain HTTP to `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site`, an interactsh-style out-of-band collector domain. The dumped environment commonly includes CI tokens, cloud credentials (AWS_*, GCP, Azure), npm publish tokens, and other secrets present at install time, so any installer running `npm install hyperpure` discloses those secrets to an attacker-controlled listener. The package itself is otherwise hollow — index.js only exports `{ name: 'hyperpure', version: '1.0.0' }` — and the package metadata claims to be Zomato's internal `hyperpure` restaurant-supply-chain library, matching the shape of a dependency-confusion attack against an internal package name. The harm fires automatically on default install with no user opt-in.\n","modified":"2026-06-24T05:01:21.276179459Z","published":"2026-06-24T04:00:01Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-24T04:00:01Z","sha256":"96c5552a039e4d845c30fae8f2c376eed21309d6b5298193850594fe4b1854d0","import_time":"2026-06-24T04:54:33.950172567Z","id":"IN-MAL-2026-007418","versions":["1.0.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hyperpure/v/1.0.0"}],"affected":[{"package":{"name":"hyperpure","ecosystem":"npm","purl":"pkg:npm/hyperpure"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-6rks1nAnleuNQYa3H66qDfAdjNhs4VKBYly/hns7xpVJ9y1n6xVNyO0Q3kHPTGd9U3Uy+LyVMMciOpLSPQYJSw==","sha1":"df30de7bc6149c258e8107a478f3496899d2d3cd"},"filename":"hyperpure-1.0.0.tgz"}],"evidence_files":[{"sha256":"4759e16ed8dd42593fa3139959e61a2714f5f1bda4b6a0189ec1beaec3fa01f1","tlsh":"3b01c568a93896333d8c8b70ba6a446978613f4f847c2c045a9b112d828f216237db2a","path":"package.json"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hyperpure/MAL-2026-6370.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}