npm · Malicious package advisory
Malwarestripe-internal-utils
MAL-2026-4184
Malicious code in stripe-internal-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b6add7fd3034c5b0d00e39e2cbfeb7c664085ef412612b53ebe9fd81767449be) package.json declares a postinstall hook that auto-fires on `npm install` and performs reconnaissance + exfiltration against the installer. The inline `node -e` payload fetches the installer's public IP from api.ipify.org, executes `id || ver && whoami && hostname` via child_process.exec, and POSTs a JSON body containing the timestamp, USERDOMAIN/USERDNSDOMAIN/COMPANY environment variables, public IP, hostname, current working directory, and shell command output to a hardcoded interactsh beacon at lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun over HTTP. The package's own description self-identifies as 'Full RCE PoC -osama', and the package name impersonates the Stripe brand to lure installers into a name they would plausibly trust. Any developer or build system running `npm install stripe-internal-utils` leaks identifying host and user information to the attacker. ## Source: ossf-package-analysis (b89c3b9d4dee2f11d05bf97a5338eeb6c5b1b2679157feed7984ab3e97d64ddf) The OpenSSF Package Analysis project identified 'stripe-internal-utils' @ 8.2.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 8.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.