MAL-2026-5391

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/vercel-analytics/MAL-2026-5391.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5391

Published

2026-06-09T16:07:40Z

Modified

2026-06-09T17:16:28.865521724Z

Summary

Malicious code in @0xlr/vercel-analytics (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fda046018b2c121cb96e157cadce6d8aee695beb7086008140da0a9c6eebc938)

On npm install, postinstall.js enumerates every process.env variable (including credentials such as AWS_*, NPMTOKEN, GITHUBTOKEN and other CI tokens) and collects host fingerprint data — hostname, username, homedir, cwd, argv, and platform — then POSTs the JSON payload to https://rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com/. The destination is a Burp Suite Collaborator (oastify.com) out-of-band interaction host, used here as an attacker-controlled exfiltration sink. The package name @0xlr/vercel-analytics impersonates Vercel's @vercel/analytics, and the 999.0.0 version plus the self-described Placeholder reservation text are the canonical shape of a weaponized dependency-confusion squat designed to override an internal package of the same unscoped name.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T16:07:41Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "7b1f5b447021e3782c516e27d02a751f714d885ebfd7fd9751de5921a42bac93",
            "id": "IN-MAL-2026-004974",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:45.415414931Z"
        },
        {
            "modified_time": "2026-06-09T16:07:40Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "fda046018b2c121cb96e157cadce6d8aee695beb7086008140da0a9c6eebc938",
            "id": "IN-MAL-2026-004973",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:45.321423987Z"
        }
    ]
}

References

https://www.npmjs.com/package/@0xlr/vercel-analytics/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @0xlr/vercel-analytics

Package

Name: @0xlr/vercel-analytics; View open source insights on deps.dev
Purl: pkg:npm/%400xlr%2Fvercel-analytics

Affected ranges

Affected versions

999.*

999.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07",
            "tlsh": "762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579",
            "path": "postinstall.js"
        },
        {
            "sha256": "26e53cb17b1667cd29775550a493147e171374adf83b5282c950f456bcb659d9",
            "tlsh": "f2d0225cb781ba377e850bda3c1388cc8af9032480a4c03049930ebc0262ee8c99b017",
            "path": "package.json"
        }
    ],
    "domains": [
        "rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-t0yoWQyfDoXL8bl8mHAX4L4KlVL8KU6smTuXJPnhnDd/iAWU7HjF19drSIeSOQf3ueZpG8wRcQ7VgQDja6i3CQ==",
                "sha1": "baee0235d98f8932599d837c9dda7767d13a0455"
            },
            "filename": "vercel-analytics-999.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/vercel-analytics/MAL-2026-5391.json"