chat-adapter-zoomnpm
Malicious code in chat-adapter-zoom (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The chat-adapter-zoom package was published to the npm registry by user 'click2ai' (maintainer email [email protected]) as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization (a Zoom chat-adapter integration namespace (Zoom-style naming)) so that a misconfigured resolver installs this public lookalike instead of the intended private dependency.
The package declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that executes automatically at npm install time, before any application code runs. The bundled examples/verify.js initializes the @sentry/node client against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii enabled, resolves the installing host's public egress IP address by requesting Cloudflare's /cdn-cgi/trace endpoint (using a spoofed desktop-browser User-Agent to bypass bot challenges), then deliberately triggers a runtime exception and captures it. Flushing the event beacons the collected host telemetry (public IP plus Sentry default PII such as hostname, OS username and runtime/environment metadata) to the attacker's Sentry ingest endpoint at o4510485815754752.ingest.us.sentry.io.
Each impersonated namespace in the campaign beacons to a distinct Sentry project ID, letting the operator attribute successful installs to specific victim organizations — behaviour consistent with a dependency-confusion reconnaissance beacon rather than legitimate error monitoring. The install-time payload is byte-for-byte identical across all packages published by this account, differing only in the package name and the target DSN. This package's beacon targets Sentry project 4511709729914880.
Package presents itself as a Zoom chat adapter but ships no Zoom or chat functionality; it is a thin wrapper over @sentry/node. The package.json preinstall script runs 'npm install @sentry/node && node examples/verify.js'. examples/verify.js initializes Sentry against a hardcoded DEFAULT_DSN pointing to o4510485815754752.ingest.us.sentry.io/4511709729914880, fetches the installer's public IP from Cloudflare via setUserFromPublicIp(), attaches it as user.ip_address, triggers an error, and calls Sentry.captureException + flush(5000), delivering the installer's public IP and event data to the author's Sentry project on every install with no user action or opt-in. The exported src/index.js init() also falls back to the same hardcoded DEFAULT_DSN with sendDefaultPii forced to true when callers do not supply their own DSN, silently routing consumer error data and PII to the author. The name/functionality mismatch (keywords target 'zoom'/'chat-adapter' while the code is a Sentry relay) indicates the package is designed to attract unrelated installs.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Backdoor / remote accessFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chat-adapter-zoom (version 12.1.31). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chat-adapter-zoom across your stack and pipelines.
If you installed it — respond
chat-adapter-zoom establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If chat-adapter-zoom was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks chat-adapter-zoom before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
- SafeDep · finder
Detect & block this
O3 blocks chat-adapter-zoom-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.