MAL-2026-5426
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@oplus/obus-web-sdk-plugin-recovery/MAL-2026-5426.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5426
- Published
- 2026-06-09T17:16:34Z
- Modified
- 2026-06-09T18:01:31.709667692Z
- Summary
- Malicious code in @oplus/obus-web-sdk-plugin-recovery (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (a7435b09e6ec064fe7ff0738becd8dd3445f1a73e97427a8fb9285460bd4f723)
@oplus/obus-web-sdk-plugin-recovery@99.99.99 publishes to a likely-private internal scope at an artificially high version to win resolution against an organization's internal package. On
npm install, scripts/postinstall.js executes automatically and: (1) reads os.userInfo().username, os.hostname(), and process.cwd(); (2) fetches the installer's public IP from api.ipify.org; (3) hex-encodes the collected fields and issues a DNS lookup of<payload>.xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun, leaking the data via the subdomain label to an interactsh out-of-band C2; (4) base64-encodes the same payload and sends it as anx-pocheader in an HTTPS GET to https://xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun/poc. The file labels itself a 'Dependency Confusion PoC - Bug Bounty Research,' but the runtime behavior is unconditional exfiltration of installer identity to a third-party endpoint, with no opt-out, on every install. Combined with the 99.99.99 version pin against the @oplus scope, this is the classic dependency-confusion attack shape and is harmful to any installer who resolves it. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005004", "versions": [ "99.99.99" ], "sha256": "a7435b09e6ec064fe7ff0738becd8dd3445f1a73e97427a8fb9285460bd4f723", "source": "amazon-inspector", "modified_time": "2026-06-09T17:16:34Z", "import_time": "2026-06-09T17:45:48.284380613Z" }, { "id": "IN-MAL-2026-005005", "versions": [ "99.99.99" ], "sha256": "c2654b14fdaecfaf92b6ef7c34e19a59779d8997dc755dd1737a5d73abb0a410", "source": "amazon-inspector", "modified_time": "2026-06-09T17:16:35Z", "import_time": "2026-06-09T17:45:48.402258467Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @oplus/obus-web-sdk-plugin-recovery
Package
- Name
- @oplus/obus-web-sdk-plugin-recovery
- View open source insights on deps.dev
- Purl
- pkg:npm/%40oplus%2Fobus-web-sdk-plugin-recovery
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "scripts/postinstall.js",
"sha256": "eca04096b1bbed57ac2c1339d39a63a326592aae523f40c23babd4ba8eca7f0c",
"tlsh": "2111efa462f0932401b250c8c8abde0a5117e117b946e899facc42949f457b8ecf2af9"
},
{
"path": "package.json",
"sha256": "d9f597f62ebfcf05ae9d7e3ed157c235214717fe409b50505d3d850b32a6fa6a",
"tlsh": "1ed0a7542c04933268dd066a0435d445b5594a4df745f41d4bc302c0d7053f5c967719"
}
],
"package_integrity": [
{
"filename": "obus-web-sdk-plugin-recovery-99.99.99.tgz",
"hashes": {
"sha512_sri": "sha512-N+hVfUB7tBOBR7LMdjrD95MmWZh8/l/EswyZANNm7DkpNkLBToVZsVmw6mQkTaO69WKC5Qy6nSqnwt9AhvtRjQ==",
"sha1": "0a956eb6ccff5badab509c1830e2f5de61a684c5"
}
}
],
"domains": [
"xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun",
"7b22706b67223a22406f706c75732f6f6275732d7765622d73646b2d706c.xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@oplus/obus-web-sdk-plugin-recovery/MAL-2026-5426.json"