{"id":"MAL-2026-5386","summary":"Malicious code in @0xlr/prisma-client-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4)\nOn `npm install`, postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU info, and POSTs the resulting JSON blob over HTTPS to the hardcoded attacker-controlled domain `rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com` (a Burp Collaborator out-of-band exfiltration host). The package name `@0xlr/prisma-client-js` impersonates the legitimate prisma-client-js / @prisma/client packages, and the 999.0.0 version is the canonical dependency-confusion override pattern; the package.json description self-identifies as a 'Placeholder reservation' for that namespace. Any installer running `npm install` against this package leaks the full process environment — including AWS_*, NPM_TOKEN, GH_*, CI/CD secrets — plus host identifiers to the attacker.\n","modified":"2026-06-09T17:16:28.690134759Z","published":"2026-06-09T16:07:48Z","database_specific":{"malicious-packages-origins":[{"versions":["999.0.0"],"source":"amazon-inspector","sha256":"64eec2a50f061040c4146b167d637913c050a51935cb1cbae176db711a628335","import_time":"2026-06-09T16:59:45.524632327Z","id":"IN-MAL-2026-004976","modified_time":"2026-06-09T16:07:48Z"},{"versions":["999.0.0"],"source":"amazon-inspector","sha256":"b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4","import_time":"2026-06-09T16:59:45.464660675Z","id":"IN-MAL-2026-004975","modified_time":"2026-06-09T16:07:48Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@0xlr/prisma-client-js/v/999.0.0"}],"affected":[{"package":{"name":"@0xlr/prisma-client-js","ecosystem":"npm","purl":"pkg:npm/%400xlr%2Fprisma-client-js"},"versions":["999.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/prisma-client-js/MAL-2026-5386.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"domains":["rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"],"package_integrity":[{"filename":"prisma-client-js-999.0.0.tgz","hashes":{"sha1":"a75147dce6e2d4a3e61c78262c764a84096393e2","sha512_sri":"sha512-wzAeIY7KeBHesfJ+rBJU1PZVzvcyLiV5UDiOt0EB8hvdbiOn0I/4Kteb0F8OzqMjPqVIgYpexVGXTeMmvSj1Zg=="}}],"evidence_files":[{"tlsh":"762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579","sha256":"1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07","path":"postinstall.js"},{"tlsh":"4ad023940ac3ef362ac98f55ed13d89c84f90210c06490304593086806516acc71d017","sha256":"3f058ecc3e30164fedfa9af8c843ccf500dcdbab0f8afbc18b46027c9d411619","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}