MAL-2026-5424

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@oplus/obus-core/MAL-2026-5424.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5424
Published
2026-06-09T17:16:31Z
Modified
2026-06-09T18:01:31.648659669Z
Summary
Malicious code in @oplus/obus-core (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ed41b3738a8034ebb2e92744dd0891812f6c6fdb278e78c377045a86f2b5a34d)

On npm install, scripts/postinstall.js collects the installer's username (os.userInfo()), hostname (os.hostname()), current working directory (process.cwd()), and public IP (fetched from https://api.ipify.org), then ships this data to a hardcoded interactsh callback at xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun through two channels: (1) a DNS lookup whose label is the hex-encoded payload prefixed onto the C2 domain, and (2) an HTTPS GET to /poc with the JSON payload base64-encoded in an x-poc header. The package is published at version 99.99.99 under the @oplus scope (mirroring OPlus/Oppo internal naming) — the textbook dependency-confusion shape designed to outrank an internal counterpart during resolution. A source comment self-labels the package as a 'Dependency Confusion PoC - Bug Bounty Research', but the exfiltration fires on every install regardless of stated intent: any developer or build system that resolves this package leaks host identifiers to the attacker-controlled callback domain.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005003",
            "versions": [
                "99.99.99"
            ],
            "sha256": "686aba482c808347d0722c9c3de657dc62763ce9eff635ef2ca006d0203608b9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:16:31Z",
            "import_time": "2026-06-09T17:45:48.104467426Z"
        },
        {
            "id": "IN-MAL-2026-005002",
            "import_time": "2026-06-09T17:45:47.995405029Z",
            "sha256": "ed41b3738a8034ebb2e92744dd0891812f6c6fdb278e78c377045a86f2b5a34d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:16:31Z",
            "versions": [
                "99.99.99"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @oplus/obus-core

Package

Name
@oplus/obus-core
View open source insights on deps.dev
Purl
pkg:npm/%40oplus%2Fobus-core

Affected ranges

Affected versions

99.*
99.99.99

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "scripts/postinstall.js",
            "sha256": "f40059949c7b589355e2a599bf2fa4b67db5567f71ba84b64fc275f4620bd395",
            "tlsh": "ee11e1e867f09324057250c8ccabdd0a5117e1137a46d9a4facc42a4af446b8ecf2afd"
        },
        {
            "path": "package.json",
            "sha256": "9e9dc73e4e5bea323bee8508fc76367145011ff5c4eda6045113cda44d78ad62",
            "tlsh": "2dd022582c04a33338ce06af0836d808b1a98e4af784a8180bc301c0e3082b98a66746"
        }
    ],
    "package_integrity": [
        {
            "filename": "obus-core-99.99.99.tgz",
            "hashes": {
                "sha512_sri": "sha512-onXoUck6P7LaLCV9nDjJe2rW7Wt4u4YK9x/OxsOJQRzlaUIRv30PhpD5QpfebEaH1VTutfGTufQQQ5z/SYpLZQ==",
                "sha1": "ee4e6109705467c3c1d0d00ee8ca582d3f7093fb"
            }
        }
    ],
    "domains": [
        "7b22706b67223a22406f706c75732f6f6275732d636f7265222c2275223a.xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun",
        "xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun",
        "api.ipify.org"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@oplus/obus-core/MAL-2026-5424.json"