zomato-sushi @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-6254
Ecosystem
npm
Summary
package.json declares a preinstall script that runs curl with form-encoded fields carrying the installer's hostname ( hostname -f ), whoami , current working directory, and a base64-encoded dump of the entire process environment ( env | base64 -w0 ) over plain HTTP to an Interactsh/OAST out-of-band collector at d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site . A preuninstall hook beacons the same host. This fires automatically on npm install with no user opt-in. The bulk environment dump captures any secrets present in the shell at install time, including CI tokens, NPM_TOKEN, AWS_* keys, and similar credentials. The package name mimics Zomato's design system namespace and the shipped index.js is a stub with no functionality, consistent with a reconnaissance/credential-capture lure rather than a real library.
Source: amazon-inspector (6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.