Which versions of zer0onedate are malicious?

The following npm versions of zer0onedate are flagged malicious: 1.0.0, 1.0.2. Treat any of these as compromised.

How do I remediate zer0onedate if I installed it?

Remove zer0onedate from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is zer0onedate part of a known attack campaign?

Yes — zer0onedate is associated with the IN-MAL-2026-005329, IN-MAL-2026-005328 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect zer0onedate in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking zer0onedate and packages like it before any post-install script runs.

Malicious package

zer0onedatenpm

Malicious code in zer0onedate (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5535

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall zer0onedate

What this malware does

On npm install, postinstall.js executes a chain of curl commands that read cloud instance metadata service (IMDS) endpoints — AWS (169.254.169.254/latest/meta-data/iam/security-credentials/), Alibaba/Aliyun and Tencent metadata hosts, plus 100.100.100.200 and 169.254.0.23 — and writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/meituan.txt. It also probes an internal-looking SSRF endpoint at https://mtsrc-test.sankuai.com/ssrf and lists /data/. The aggregated contents are POSTed via curl -X POST -d to http://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata, an attacker-controlled Burp Collaborator subdomain. Any installer running in AWS/Aliyun/Tencent cloud (CI runners, build agents, cloud dev VMs) leaks temporary IAM credentials from IMDS to the attacker, who can then pivot into the victim's cloud account. The targeting of Meituan-internal infrastructure (sankuai.com) plus multiple non-standard cloud metadata IPs indicates deliberate reconnaissance, not opportunistic theft.

Malicious versions

2 flagged

1.0.01.0.2

Indicators of compromise (SHA-256)

106494bfe4420962c30d8b3989a1397d197f277079c71b8d15695c9128d72399

d6d3b1cca8ae0369474912f980f89947449995895ed0238ac2444063dbd957e1

Frequently asked questions

No. zer0onedate on npm has been identified as a malicious package (versions 1.0.0, 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005329IN-MAL-2026-005328

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection