{"id":"MAL-2026-5899","summary":"Malicious code in stripe-cli-init-plugin (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (05bd1dbc9732ef80aca27acad964c041b74e646e26cf4947ad34807c41d2c4a8)\nPackage name 'stripe-cli-init-plugin' impersonates the Stripe CLI ecosystem and ships a bin script (bin/run.js) that, when invoked via `npx stripe-cli-init-plugin` or as the installed CLI, POSTs the installer's project directory basename and a timestamp to a hardcoded remote URL (https://deepbounty.dd06-dev.fr/cb/10306845-ff21-4176-8574-95dd4917bc45). The package self-describes as a 'Security PoC for Bug Bounty' but is published to the public npm registry under a name designed to be reached via typo or autocomplete confusion against the legitimate Stripe CLI tooling, and provides no advertised functionality — its only effect on the installer is to confirm execution and leak the CWD basename to the author's server. The combination of name-confusion targeting a top-tier brand plus a silent phone-home to an attacker-controlled endpoint constitutes a supply-chain attack regardless of the author's stated intent.\n","modified":"2026-06-16T16:16:48.690685425Z","published":"2026-06-16T15:20:11Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"source":"amazon-inspector","sha256":"05bd1dbc9732ef80aca27acad964c041b74e646e26cf4947ad34807c41d2c4a8","id":"IN-MAL-2026-006754","import_time":"2026-06-16T16:06:33.294737958Z","modified_time":"2026-06-16T15:20:11Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/stripe-cli-init-plugin/v/1.0.0"}],"affected":[{"package":{"name":"stripe-cli-init-plugin","ecosystem":"npm","purl":"pkg:npm/stripe-cli-init-plugin"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stripe-cli-init-plugin/MAL-2026-5899.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha1":"3e2e2d246f7875401e80b6a1ccdbe729ce10e5c7","sha512_sri":"sha512-+nSYt9gL08bItWlwBqeVgjSLmOzgb6nQeKUj7Ph110+6IQP02Yex5y845X9HAy7BTV1whEMIIN6SXLFMM8EXLQ=="},"filename":"stripe-cli-init-plugin-1.0.0.tgz"}],"evidence_files":[{"tlsh":"8d2154916ad2673412e61ad0995b9d0b732bb50b7e46f498b5dc01881fc813c9573fce","path":"bin/run.js","sha256":"211d2ed66357fe273894cd0a18a72a8fc068aae09df1bc9dcbdbc06b6814a35a"},{"path":"package.json","tlsh":"72d0120c459ab4037a92cafc196e51c0922d076e341ac81908a83424d0eb7faa23a786","sha256":"c45a9383d0dbc69b14ffc97af3d3efc2df19e5fea61bbc87e5ddc740a4d6bd85"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}