{"id":"MAL-2026-5391","summary":"Malicious code in @0xlr/vercel-analytics (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fda046018b2c121cb96e157cadce6d8aee695beb7086008140da0a9c6eebc938)\nOn `npm install`, postinstall.js enumerates every process.env variable (including credentials such as AWS_*, NPM_TOKEN, GITHUB_TOKEN and other CI tokens) and collects host fingerprint data — hostname, username, homedir, cwd, argv, and platform — then POSTs the JSON payload to https://rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com/. The destination is a Burp Suite Collaborator (oastify.com) out-of-band interaction host, used here as an attacker-controlled exfiltration sink. The package name `@0xlr/vercel-analytics` impersonates Vercel's `@vercel/analytics`, and the 999.0.0 version plus the self-described `Placeholder reservation` text are the canonical shape of a weaponized dependency-confusion squat designed to override an internal package of the same unscoped name.\n","modified":"2026-06-09T17:16:28.865521724Z","published":"2026-06-09T16:07:40Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004974","modified_time":"2026-06-09T16:07:41Z","import_time":"2026-06-09T16:59:45.415414931Z","source":"amazon-inspector","versions":["999.0.0"],"sha256":"7b1f5b447021e3782c516e27d02a751f714d885ebfd7fd9751de5921a42bac93"},{"id":"IN-MAL-2026-004973","modified_time":"2026-06-09T16:07:40Z","import_time":"2026-06-09T16:59:45.321423987Z","source":"amazon-inspector","versions":["999.0.0"],"sha256":"fda046018b2c121cb96e157cadce6d8aee695beb7086008140da0a9c6eebc938"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@0xlr/vercel-analytics/v/999.0.0"}],"affected":[{"package":{"name":"@0xlr/vercel-analytics","ecosystem":"npm","purl":"pkg:npm/%400xlr%2Fvercel-analytics"},"versions":["999.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@0xlr/vercel-analytics/MAL-2026-5391.json","indicators":{"domains":["rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-t0yoWQyfDoXL8bl8mHAX4L4KlVL8KU6smTuXJPnhnDd/iAWU7HjF19drSIeSOQf3ueZpG8wRcQ7VgQDja6i3CQ==","sha1":"baee0235d98f8932599d837c9dda7767d13a0455"},"filename":"vercel-analytics-999.0.0.tgz"}],"evidence_files":[{"sha256":"1ded8a789cf3732b19e4d08f9f8b224a4c81914daad56d165ca4fbce8cf21e07","path":"postinstall.js","tlsh":"762115e152f4867413f23b88b09e95015677f1173a0778f4bdcd52151fac62812f2579"},{"sha256":"26e53cb17b1667cd29775550a493147e171374adf83b5282c950f456bcb659d9","path":"package.json","tlsh":"f2d0225cb781ba377e850bda3c1388cc8af9032480a4c03049930ebc0262ee8c99b017"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}