MAL-2026-5899

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (05bd1dbc9732ef80aca27acad964c041b74e646e26cf4947ad34807c41d2c4a8) Package name 'stripe-cli-init-plugin' impersonates the Stripe CLI ecosystem and ships a bin script (bin/run.js) that, when invoked via `npx stripe-cli-init-plugin` or as the installed CLI, POSTs the installer's project directory basename and a timestamp to a hardcoded remote URL (https://deepbounty.dd06-dev.fr/cb/10306845-ff21-4176-8574-95dd4917bc45). The package self-describes as a 'Security PoC for Bug Bounty' but is published to the public npm registry under a name designed to be reached via typo or autocomplete confusion against the legitimate Stripe CLI tooling, and provides no advertised functionality — its only effect on the installer is to confirm execution and leak the CWD basename to the author's server. The combination of name-confusion targeting a top-tier brand plus a silent phone-home to an attacker-controlled endpoint constitutes a supply-chain attack regardless of the author's stated intent.