Which versions of @0xlr/stripe-frontend are malicious?

The following npm versions of @0xlr/stripe-frontend are flagged malicious: 999.0.0. Treat any of these as compromised.

How do I remediate @0xlr/stripe-frontend if I installed it?

Remove @0xlr/stripe-frontend from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @0xlr/stripe-frontend part of a known attack campaign?

Yes — @0xlr/stripe-frontend is associated with the IN-MAL-2026-004972, IN-MAL-2026-004971 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @0xlr/stripe-frontend in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @0xlr/stripe-frontend and packages like it before any post-install script runs.

Malicious package

@0xlr/stripe-frontendnpm

Malicious code in @0xlr/stripe-frontend (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5389

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @0xlr/stripe-frontend

What this malware does

On npm install, postinstall.js enumerates every entry in process.env (sorted), bundles it with hostname, username, homedir, cwd, argv, and platform/arch, and POSTs the JSON payload over HTTPS to the hardcoded Burp Collaborator subdomain rytxau88zxh61dw6qz4yn19naeg54vsk.oastify.com. Any tokens present in the install environment (AWS, GCP, CI tokens, npm tokens, etc.) are leaked to the attacker. The package's own metadata describes itself as a placeholder reservation for 'stripe-frontend' at version 999.0.0 under the @0xlr scope, indicating a namespace-squat against the Stripe brand whose only payload is the exfiltration script.

Malicious versions

1 flagged

999.0.0

Indicators of compromise (SHA-256)

2ca0e316df6d8593b8b69f9bfc4de1e29a88cc2963be3c0100d052c2eb93eec8

3eda7bf8681a6253ffc4bc965888e45c5374e4ba8d4fe2e17efcd0f227d7ce5e

Frequently asked questions

No. @0xlr/stripe-frontend on npm has been identified as a malicious package (version 999.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004972IN-MAL-2026-004971

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection