npm · Malicious package advisory
Malware@0xlr/clerk-auth
MAL-2026-5385
Malicious code in @0xlr/clerk-auth (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74) On `npm install`, postinstall.js enumerates the entire process environment (Object.keys(process.env).sort().forEach) along with hostname, username, home directory, cwd, argv, and OS metadata, then POSTs the JSON payload over HTTPS to rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com (a Burp Collaborator subdomain controlled by the attacker). Any secrets present in the installer's environment at install time — CI tokens, NPM_TOKEN, AWS_*, GitHub tokens, etc. — are leaked to the operator of that Collaborator instance. The package itself is hollow: name `@0xlr/clerk-auth` with version `999.0.0` and a description reading 'Placeholder reservation - company should register clerk-auth' is a dependency-confusion lure aimed at organizations that internally reference an unregistered `clerk-auth` package.
Compromised versions (1)
- 999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.