{"id":"MAL-2026-5387","summary":"Malicious code in @0xlr/sentry-web (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6cda998358d5cfe20dc0c060f7e212e44ee41e6f369f42c15badbfdd7b796744)\nOn `npm install`, this package automatically executes postinstall.js, which enumerates the entire process.env (every environment variable, including CI secrets, AWS_*, NPM_TOKEN, and any other tokens present in the install environment) along with hostname, username, homedir, cwd, argv, platform, arch, and release. The collected payload is POSTed over HTTPS to `rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com`, a Burp Collaborator out-of-band subdomain used for exfiltration. The package's own description self-identifies as a placeholder squat for the `sentry-web` name, and it ships at version 999.0.0 — a squat-marker version. Installing this package on any machine where credentials are present in the environment results in those credentials being shipped off-host on a single `npm install` invocation.\n","modified":"2026-06-09T17:16:27.183169347Z","published":"2026-06-09T16:09:16Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004979","sha256":"6cda998358d5cfe20dc0c060f7e212e44ee41e6f369f42c15badbfdd7b796744","versions":["999.0.0"],"import_time":"2026-06-09T16:59:45.836660501Z","source":"amazon-inspector","modified_time":"2026-06-09T16:09:16Z"},{"id":"IN-MAL-2026-004980","sha256":"70c4e5e40d85289a94afecdf9292683a40e5a3a85ed383e74cbcf8536a921f7a","versions":["999.0.0"],"modified_time":"2026-06-09T16:09:16Z","source":"amazon-inspector","import_time":"2026-06-09T16:59:45.868280202Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@0xlr/sentry-web/v/999.0.0"}],"affected":[{"package":{"name":"@0xlr/sentry-web","ecosystem":"npm","purl":"pkg:npm/%400xlr%2Fsentry-web"},"versions":["999.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/sentry-web/MAL-2026-5387.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579","path":"postinstall.js","sha256":"1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07"},{"tlsh":"12d0229806e0ab362e844bba2c23889c88f902229048422809970ae442f3aa8c51f01b","path":"package.json","sha256":"eb2e13680405331e5c079f91d8b2f19f59fc75e20f378d04fbd4652c6eaf189b"}],"package_integrity":[{"hashes":{"sha1":"f225efa9d7c6a55531755ddfe0a14e9879af3be5","sha512_sri":"sha512-VS07irl18VRoHYQ1BWxgwoRIZpgzwmEbADollVjJ/pq106an3s5+POOrCUZlDLNgz1oYuScMXbjJI4DEXVRKZw=="},"filename":"sentry-web-999.0.0.tgz"}],"domains":["rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}