npm · Malicious package advisory
Malware@0xlr/vercel-analytics
MAL-2026-5391
Malicious code in @0xlr/vercel-analytics (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fda046018b2c121cb96e157cadce6d8aee695beb7086008140da0a9c6eebc938) On `npm install`, postinstall.js enumerates every process.env variable (including credentials such as AWS_*, NPM_TOKEN, GITHUB_TOKEN and other CI tokens) and collects host fingerprint data — hostname, username, homedir, cwd, argv, and platform — then POSTs the JSON payload to https://rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com/. The destination is a Burp Suite Collaborator (oastify.com) out-of-band interaction host, used here as an attacker-controlled exfiltration sink. The package name `@0xlr/vercel-analytics` impersonates Vercel's `@vercel/analytics`, and the 999.0.0 version plus the self-described `Placeholder reservation` text are the canonical shape of a weaponized dependency-confusion squat designed to override an internal package of the same unscoped name.
Compromised versions (1)
- 999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.