-= Per source details. Do not edit below this line.=-
On npm install, this package automatically executes postinstall.js, which enumerates the entire process.env (every environment variable, including CI secrets, AWS_*, NPM_TOKEN, and any other tokens present in the install environment) along with hostname, username, homedir, cwd, argv, platform, arch, and release. The collected payload is POSTed over HTTPS to rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com, a Burp Collaborator out-of-band subdomain used for exfiltration. The package's own description self-identifies as a placeholder squat for the sentry-web name, and it ships at version 999.0.0 — a squat-marker version. Installing this package on any machine where credentials are present in the environment results in those credentials being shipped off-host on a single npm install invocation.
{
"malicious-packages-origins": [
{
"versions": [
"999.0.0"
],
"import_time": "2026-06-09T16:59:45.836660501Z",
"modified_time": "2026-06-09T16:09:16Z",
"id": "IN-MAL-2026-004979",
"sha256": "6cda998358d5cfe20dc0c060f7e212e44ee41e6f369f42c15badbfdd7b796744",
"source": "amazon-inspector"
},
{
"versions": [
"999.0.0"
],
"id": "IN-MAL-2026-004980",
"modified_time": "2026-06-09T16:09:16Z",
"import_time": "2026-06-09T16:59:45.868280202Z",
"sha256": "70c4e5e40d85289a94afecdf9292683a40e5a3a85ed383e74cbcf8536a921f7a",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/sentry-web/MAL-2026-5387.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"hashes": {
"sha1": "f225efa9d7c6a55531755ddfe0a14e9879af3be5",
"sha512_sri": "sha512-VS07irl18VRoHYQ1BWxgwoRIZpgzwmEbADollVjJ/pq106an3s5+POOrCUZlDLNgz1oYuScMXbjJI4DEXVRKZw=="
},
"filename": "sentry-web-999.0.0.tgz"
}
],
"domains": [
"rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"
],
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07",
"tlsh": "762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579"
},
{
"path": "package.json",
"sha256": "eb2e13680405331e5c079f91d8b2f19f59fc75e20f378d04fbd4652c6eaf189b",
"tlsh": "12d0229806e0ab362e844bba2c23889c88f902229048422809970ae442f3aa8c51f01b"
}
]
}