VYPR

npm · Malicious package advisory

Malware

@0xlr/stripe-frontend

MAL-2026-5389

Malicious code in @0xlr/stripe-frontend (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3eda7bf8681a6253ffc4bc965888e45c5374e4ba8d4fe2e17efcd0f227d7ce5e)
On `npm install`, postinstall.js enumerates every entry in process.env (sorted), bundles it with hostname, username, homedir, cwd, argv, and platform/arch, and POSTs the JSON payload over HTTPS to the hardcoded Burp Collaborator subdomain rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com. Any tokens present in the install environment (AWS, GCP, CI tokens, npm tokens, etc.) are leaked to the attacker. The package's own metadata describes itself as a placeholder reservation for 'stripe-frontend' at version 999.0.0 under the @0xlr scope, indicating a namespace-squat against the Stripe brand whose only payload is the exfiltration script.

Compromised versions (1)

  • 999.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.