MAL-2026-5387

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/sentry-web/MAL-2026-5387.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5387

Published

2026-06-09T16:09:16Z

Modified

2026-06-09T17:16:27.183169347Z

Summary

Malicious code in @0xlr/sentry-web (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6cda998358d5cfe20dc0c060f7e212e44ee41e6f369f42c15badbfdd7b796744)

On npm install, this package automatically executes postinstall.js, which enumerates the entire process.env (every environment variable, including CI secrets, AWS_*, NPM_TOKEN, and any other tokens present in the install environment) along with hostname, username, homedir, cwd, argv, platform, arch, and release. The collected payload is POSTed over HTTPS to rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com, a Burp Collaborator out-of-band subdomain used for exfiltration. The package's own description self-identifies as a placeholder squat for the sentry-web name, and it ships at version 999.0.0 — a squat-marker version. Installing this package on any machine where credentials are present in the environment results in those credentials being shipped off-host on a single npm install invocation.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T16:09:16Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "6cda998358d5cfe20dc0c060f7e212e44ee41e6f369f42c15badbfdd7b796744",
            "id": "IN-MAL-2026-004979",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:45.836660501Z"
        },
        {
            "import_time": "2026-06-09T16:59:45.868280202Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "70c4e5e40d85289a94afecdf9292683a40e5a3a85ed383e74cbcf8536a921f7a",
            "id": "IN-MAL-2026-004980",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T16:09:16Z"
        }
    ]
}

References

https://www.npmjs.com/package/@0xlr/sentry-web/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @0xlr/sentry-web

Package

Name: @0xlr/sentry-web; View open source insights on deps.dev
Purl: pkg:npm/%400xlr%2Fsentry-web

Affected ranges

Affected versions

999.*

999.0.0

Database specific

indicators

{
    "domains": [
        "rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07",
            "tlsh": "762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579",
            "path": "postinstall.js"
        },
        {
            "sha256": "eb2e13680405331e5c079f91d8b2f19f59fc75e20f378d04fbd4652c6eaf189b",
            "tlsh": "12d0229806e0ab362e844bba2c23889c88f902229048422809970ae442f3aa8c51f01b",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "sentry-web-999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-VS07irl18VRoHYQ1BWxgwoRIZpgzwmEbADollVjJ/pq106an3s5+POOrCUZlDLNgz1oYuScMXbjJI4DEXVRKZw==",
                "sha1": "f225efa9d7c6a55531755ddfe0a14e9879af3be5"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/sentry-web/MAL-2026-5387.json"