npm · Malicious package advisory
Malware@oplus/obus-core
MAL-2026-5424
Malicious code in @oplus/obus-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ed41b3738a8034ebb2e92744dd0891812f6c6fdb278e78c377045a86f2b5a34d) On `npm install`, scripts/postinstall.js collects the installer's username (os.userInfo()), hostname (os.hostname()), current working directory (process.cwd()), and public IP (fetched from https://api.ipify.org), then ships this data to a hardcoded interactsh callback at xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun through two channels: (1) a DNS lookup whose label is the hex-encoded payload prefixed onto the C2 domain, and (2) an HTTPS GET to /poc with the JSON payload base64-encoded in an `x-poc` header. The package is published at version 99.99.99 under the @oplus scope (mirroring OPlus/Oppo internal naming) — the textbook dependency-confusion shape designed to outrank an internal counterpart during resolution. A source comment self-labels the package as a 'Dependency Confusion PoC - Bug Bounty Research', but the exfiltration fires on every install regardless of stated intent: any developer or build system that resolves this package leaks host identifiers to the attacker-controlled callback domain.
Compromised versions (1)
- 99.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.