MAL-2026-5899

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stripe-cli-init-plugin/MAL-2026-5899.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5899

Published

2026-06-16T15:20:11Z

Modified

2026-06-16T16:16:48.690685425Z

Summary

Malicious code in stripe-cli-init-plugin (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (05bd1dbc9732ef80aca27acad964c041b74e646e26cf4947ad34807c41d2c4a8)

Package name 'stripe-cli-init-plugin' impersonates the Stripe CLI ecosystem and ships a bin script (bin/run.js) that, when invoked via npx stripe-cli-init-plugin or as the installed CLI, POSTs the installer's project directory basename and a timestamp to a hardcoded remote URL (https://deepbounty.dd06-dev.fr/cb/10306845-ff21-4176-8574-95dd4917bc45). The package self-describes as a 'Security PoC for Bug Bounty' but is published to the public npm registry under a name designed to be reached via typo or autocomplete confusion against the legitimate Stripe CLI tooling, and provides no advertised functionality — its only effect on the installer is to confirm execution and leak the CWD basename to the author's server. The combination of name-confusion targeting a top-tier brand plus a silent phone-home to an attacker-controlled endpoint constitutes a supply-chain attack regardless of the author's stated intent.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006754",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-16T16:06:33.294737958Z",
            "modified_time": "2026-06-16T15:20:11Z",
            "sha256": "05bd1dbc9732ef80aca27acad964c041b74e646e26cf4947ad34807c41d2c4a8",
            "source": "amazon-inspector"
        }
    ]
}

References

https://www.npmjs.com/package/stripe-cli-init-plugin/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / stripe-cli-init-plugin

Package

Name: stripe-cli-init-plugin; View open source insights on deps.dev
Purl: pkg:npm/stripe-cli-init-plugin

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "stripe-cli-init-plugin-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-+nSYt9gL08bItWlwBqeVgjSLmOzgb6nQeKUj7Ph110+6IQP02Yex5y845X9HAy7BTV1whEMIIN6SXLFMM8EXLQ==",
                "sha1": "3e2e2d246f7875401e80b6a1ccdbe729ce10e5c7"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "211d2ed66357fe273894cd0a18a72a8fc068aae09df1bc9dcbdbc06b6814a35a",
            "tlsh": "8d2154916ad2673412e61ad0995b9d0b732bb50b7e46f498b5dc01881fc813c9573fce",
            "path": "bin/run.js"
        },
        {
            "sha256": "c45a9383d0dbc69b14ffc97af3d3efc2df19e5fea61bbc87e5ddc740a4d6bd85",
            "tlsh": "72d0120c459ab4037a92cafc196e51c0922d076e341ac81908a83424d0eb7faa23a786",
            "path": "package.json"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stripe-cli-init-plugin/MAL-2026-5899.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]