VYPR

npm · Malicious package advisory

Malware

@oplus/obus-web-sdk

MAL-2026-5425

Malicious code in @oplus/obus-web-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (956ecc19633177f7ef9b458e6407ffbba6c8366688249c07bfd7f3c8e85c17a9)
On `npm install`, the package's `scripts/postinstall.js` collects the installer's username (`os.userInfo()`), hostname (`os.hostname()`), current working directory (`process.cwd()`), and public IP (fetched from `https://api.ipify.org`), then exfiltrates the data to a hardcoded interactsh C2 subdomain `xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun` through two channels: a DNS lookup with the hex-encoded payload as a subdomain, and an HTTPS GET to `/poc` carrying the data base64-encoded in an `x-poc` header. The package uses the `@oplus` scope (impersonating OPlus/Oppo internal namespaces) and is published at version `99.99.99` — the canonical dependency-confusion pattern designed to outrank any legitimate internal release during resolution. The in-source comment framing this as a benign PoC does not change the installer-side harm: any build that resolves `@oplus/obus-web-sdk` against the public registry will leak host/user/IP/cwd to attacker infrastructure.

Compromised versions (1)

  • 99.99.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.