MAL-2026-5389

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/stripe-frontend/MAL-2026-5389.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5389

Published

2026-06-09T16:07:35Z

Modified

2026-06-09T17:16:29.257081985Z

Summary

Malicious code in @0xlr/stripe-frontend (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3eda7bf8681a6253ffc4bc965888e45c5374e4ba8d4fe2e17efcd0f227d7ce5e)

On npm install, postinstall.js enumerates every entry in process.env (sorted), bundles it with hostname, username, homedir, cwd, argv, and platform/arch, and POSTs the JSON payload over HTTPS to the hardcoded Burp Collaborator subdomain rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com. Any tokens present in the install environment (AWS, GCP, CI tokens, npm tokens, etc.) are leaked to the attacker. The package's own metadata describes itself as a placeholder reservation for 'stripe-frontend' at version 999.0.0 under the @0xlr scope, indicating a namespace-squat against the Stripe brand whose only payload is the exfiltration script.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T16:59:45.28179922Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "2ca0e316df6d8593b8b69f9bfc4de1e29a88cc2963be3c0100d052c2eb93eec8",
            "id": "IN-MAL-2026-004972",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T16:07:36Z"
        },
        {
            "modified_time": "2026-06-09T16:07:35Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "3eda7bf8681a6253ffc4bc965888e45c5374e4ba8d4fe2e17efcd0f227d7ce5e",
            "id": "IN-MAL-2026-004971",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:45.228743648Z"
        }
    ]
}

References

https://www.npmjs.com/package/@0xlr/stripe-frontend/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @0xlr/stripe-frontend

Package

Name: @0xlr/stripe-frontend; View open source insights on deps.dev
Purl: pkg:npm/%400xlr%2Fstripe-frontend

Affected ranges

Affected versions

999.*

999.0.0

Database specific

indicators

{
    "domains": [
        "rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07",
            "tlsh": "762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579",
            "path": "postinstall.js"
        },
        {
            "sha256": "c38ec54df7c448739d36f1852c964e18f06ce2d7c3634d1ac747a0ab0c18a9e6",
            "tlsh": "b5d022588680ba365f858b9e6ca3bc8d84f902308088403809d30cb401e3ffcc5ae057",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-JpxFvPmQP5SQXba9YTcDnP92kdCbWJztPMqZFph1m4EZEgNrHyir62AMwVsEOn3t+WbcyAiSZqBKbqqjZN+xdw==",
                "sha1": "703b7a091a08719b249d3349f1edf1f94636032f"
            },
            "filename": "stripe-frontend-999.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/stripe-frontend/MAL-2026-5389.json"