npm · Malicious package advisory
Malware@0xlr/prisma-client-js
MAL-2026-5386
Malicious code in @0xlr/prisma-client-js (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4) On `npm install`, postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU info, and POSTs the resulting JSON blob over HTTPS to the hardcoded attacker-controlled domain `rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com` (a Burp Collaborator out-of-band exfiltration host). The package name `@0xlr/prisma-client-js` impersonates the legitimate prisma-client-js / @prisma/client packages, and the 999.0.0 version is the canonical dependency-confusion override pattern; the package.json description self-identifies as a 'Placeholder reservation' for that namespace. Any installer running `npm install` against this package leaks the full process environment — including AWS_*, NPM_TOKEN, GH_*, CI/CD secrets — plus host identifiers to the attacker.
Compromised versions (1)
- 999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.