MAL-2026-5425

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@oplus/obus-web-sdk/MAL-2026-5425.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5425

Published

2026-06-09T17:16:38Z

Modified

2026-06-09T18:01:32.552316734Z

Summary

Malicious code in @oplus/obus-web-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (956ecc19633177f7ef9b458e6407ffbba6c8366688249c07bfd7f3c8e85c17a9)

On npm install, the package's scripts/postinstall.js collects the installer's username (os.userInfo()), hostname (os.hostname()), current working directory (process.cwd()), and public IP (fetched from https://api.ipify.org), then exfiltrates the data to a hardcoded interactsh C2 subdomain xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun through two channels: a DNS lookup with the hex-encoded payload as a subdomain, and an HTTPS GET to /poc carrying the data base64-encoded in an x-poc header. The package uses the @oplus scope (impersonating OPlus/Oppo internal namespaces) and is published at version 99.99.99 — the canonical dependency-confusion pattern designed to outrank any legitimate internal release during resolution. The in-source comment framing this as a benign PoC does not change the installer-side harm: any build that resolves @oplus/obus-web-sdk against the public registry will leak host/user/IP/cwd to attacker infrastructure.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005007",
            "versions": [
                "99.99.99"
            ],
            "sha256": "870118deab21abae390aabf8c29ffc8e0b29bb14fa1ebc9d66b5c673c5680e12",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:16:39Z",
            "import_time": "2026-06-09T17:45:48.489808916Z"
        },
        {
            "id": "IN-MAL-2026-005006",
            "versions": [
                "99.99.99"
            ],
            "sha256": "956ecc19633177f7ef9b458e6407ffbba6c8366688249c07bfd7f3c8e85c17a9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:16:38Z",
            "import_time": "2026-06-09T17:45:48.457399799Z"
        }
    ]
}

References

https://www.npmjs.com/package/@oplus/obus-web-sdk/v/99.99.99

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @oplus/obus-web-sdk

Package

Name: @oplus/obus-web-sdk; View open source insights on deps.dev
Purl: pkg:npm/%40oplus%2Fobus-web-sdk

Affected ranges

Affected versions

99.*

99.99.99

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.js",
            "sha256": "22d9555e398870d0fdccbe756f7a84e1fe5055f70ad874a490c8b2008a03241c",
            "tlsh": "dd1102e862f0932401b250c8c8abdd0a4117e1137646e894facc41949f456b8ecf29f9"
        },
        {
            "path": "package.json",
            "sha256": "cda1e66202206525342bb97d5f3a0df2252897cc4e9e8c2c9bccdecef36eb9e7",
            "tlsh": "20d022542c04a33339cd06af0836d808b1a98e4ef344b8184bc301c0d30a3facea6b26"
        }
    ],
    "package_integrity": [
        {
            "filename": "obus-web-sdk-99.99.99.tgz",
            "hashes": {
                "sha512_sri": "sha512-azu+JHGRqklsQEk2xXpu2Yq488zkNwOErBCLy7Leu66dp9EhZwDxDqdspFjzRJiTPoxmA+d1+on/I9jkv+nN/g==",
                "sha1": "77a3f64cf26e35dbb54f169660ada1f5ea5048c4"
            }
        }
    ],
    "domains": [
        "api.ipify.org"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@oplus/obus-web-sdk/MAL-2026-5425.json"