MAL-2026-5385

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/clerk-auth/MAL-2026-5385.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5385

Published

2026-06-09T16:07:54Z

Modified

2026-06-09T17:16:28.694216171Z

Summary

Malicious code in @0xlr/clerk-auth (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74)

On npm install, postinstall.js enumerates the entire process environment (Object.keys(process.env).sort().forEach) along with hostname, username, home directory, cwd, argv, and OS metadata, then POSTs the JSON payload over HTTPS to rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com (a Burp Collaborator subdomain controlled by the attacker). Any secrets present in the installer's environment at install time — CI tokens, NPMTOKEN, AWS*, GitHub tokens, etc. — are leaked to the operator of that Collaborator instance. The package itself is hollow: name @0xlr/clerk-auth with version 999.0.0 and a description reading 'Placeholder reservation - company should register clerk-auth' is a dependency-confusion lure aimed at organizations that internally reference an unregistered clerk-auth package.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T16:07:54Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74",
            "id": "IN-MAL-2026-004977",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:45.600484892Z"
        },
        {
            "modified_time": "2026-06-09T16:07:55Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "f75b5cbd68fb15cdb11785a7a8c83cefd8ad2bb6cf7ed6692f120a5bd8f4f135",
            "id": "IN-MAL-2026-004978",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:45.628375717Z"
        }
    ]
}

References

https://www.npmjs.com/package/@0xlr/clerk-auth/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @0xlr/clerk-auth

Package

Name: @0xlr/clerk-auth; View open source insights on deps.dev
Purl: pkg:npm/%400xlr%2Fclerk-auth

Affected ranges

Affected versions

999.*

999.0.0

Database specific

indicators

{
    "domains": [
        "rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07",
            "tlsh": "762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579",
            "path": "postinstall.js"
        },
        {
            "sha256": "7b77f44062b89b2b851fb6a0c11019c3843d983103d418d5198debb3d08ea31d",
            "tlsh": "cbd0224816a0ff379b844b9a2c13888c88fd02728046402219d328f441e2eb8c5bb01f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-XdRYUJmGyNtYIw91qr3Xwga6XNBveWhgce6dJSaMTqswOyQ5iqp+kdgHexMN8y3N2BxWEFApH+qdsTGcgnXp4g==",
                "sha1": "20dbd55535ca0fb5d68e392ff00e0cd7486d21e1"
            },
            "filename": "clerk-auth-999.0.0.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/clerk-auth/MAL-2026-5385.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]