VYPR

npm · Malicious package advisory

Malware

@oplus/obus-web-sdk-plugin-recovery

MAL-2026-5426

Malicious code in @oplus/obus-web-sdk-plugin-recovery (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a7435b09e6ec064fe7ff0738becd8dd3445f1a73e97427a8fb9285460bd4f723)
@oplus/obus-web-sdk-plugin-recovery@99.99.99 publishes to a likely-private internal scope at an artificially high version to win resolution against an organization's internal package. On `npm install`, scripts/postinstall.js executes automatically and: (1) reads os.userInfo().username, os.hostname(), and process.cwd(); (2) fetches the installer's public IP from api.ipify.org; (3) hex-encodes the collected fields and issues a DNS lookup of `<payload>.xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun`, leaking the data via the subdomain label to an interactsh out-of-band C2; (4) base64-encodes the same payload and sends it as an `x-poc` header in an HTTPS GET to https://xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun/poc. The file labels itself a 'Dependency Confusion PoC - Bug Bounty Research,' but the runtime behavior is unconditional exfiltration of installer identity to a third-party endpoint, with no opt-out, on every install. Combined with the 99.99.99 version pin against the @oplus scope, this is the classic dependency-confusion attack shape and is harmful to any installer who resolves it.

Compromised versions (1)

  • 99.99.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.