@0xlr/prisma-client-js @999.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5386
Ecosystem
npm
Summary
On npm install , postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU info, and POSTs the resulting JSON blob over HTTPS to the hardcoded attacker-controlled domain rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com (a Burp Collaborator out-of-band exfiltration host). The package name @0xlr/prisma-client-js impersonates the legitimate prisma-client-js / @prisma/client packages, and the 999.0.0 version is the canonical dependency-confusion override pattern; the package.json description self-identifies as a 'Placeholder reservation' for that namespace. Any installer running npm install against this package leaks the full process environment — including AWS_*, NPM_TOKEN, GH_*, CI/CD secrets — plus host identifiers to the attacker.
Source: amazon-inspector (b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.