MAL-2026-5426
Vulnerability from ossf_malicious_packages
Published
2026-06-09 17:16
Modified
2026-06-09 17:47
Summary
Malicious code in @oplus/obus-web-sdk-plugin-recovery (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a7435b09e6ec064fe7ff0738becd8dd3445f1a73e97427a8fb9285460bd4f723)

@oplus/obus-web-sdk-plugin-recovery@99.99.99 publishes to a likely-private internal scope at an artificially high version to win resolution against an organization's internal package. On npm install, scripts/postinstall.js executes automatically and: (1) reads os.userInfo().username, os.hostname(), and process.cwd(); (2) fetches the installer's public IP from api.ipify.org; (3) hex-encodes the collected fields and issues a DNS lookup of <payload>.xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun, leaking the data via the subdomain label to an interactsh out-of-band C2; (4) base64-encodes the same payload and sends it as an x-poc header in an HTTPS GET to https://xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun/poc. The file labels itself a 'Dependency Confusion PoC - Bug Bounty Research,' but the runtime behavior is unconditional exfiltration of installer identity to a third-party endpoint, with no opt-out, on every install. Combined with the 99.99.99 version pin against the @oplus scope, this is the classic dependency-confusion attack shape and is harmful to any installer who resolves it.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "domains": [
            "xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun",
            "7b22706b67223a22406f706c75732f6f6275732d7765622d73646b2d706c.xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun"
          ],
          "evidence_files": [
            {
              "path": "scripts/postinstall.js",
              "sha256": "eca04096b1bbed57ac2c1339d39a63a326592aae523f40c23babd4ba8eca7f0c",
              "tlsh": "2111efa462f0932401b250c8c8abde0a5117e117b946e899facc42949f457b8ecf2af9"
            },
            {
              "path": "package.json",
              "sha256": "d9f597f62ebfcf05ae9d7e3ed157c235214717fe409b50505d3d850b32a6fa6a",
              "tlsh": "1ed0a7542c04933268dd066a0435d445b5594a4df745f41d4bc302c0d7053f5c967719"
            }
          ],
          "package_integrity": [
            {
              "filename": "obus-web-sdk-plugin-recovery-99.99.99.tgz",
              "hashes": {
                "sha1": "0a956eb6ccff5badab509c1830e2f5de61a684c5",
                "sha512_sri": "sha512-N+hVfUB7tBOBR7LMdjrD95MmWZh8/l/EswyZANNm7DkpNkLBToVZsVmw6mQkTaO69WKC5Qy6nSqnwt9AhvtRjQ=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "@oplus/obus-web-sdk-plugin-recovery"
      },
      "versions": [
        "99.99.99"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-005004",
        "import_time": "2026-06-09T17:45:48.284380613Z",
        "modified_time": "2026-06-09T17:16:34Z",
        "sha256": "a7435b09e6ec064fe7ff0738becd8dd3445f1a73e97427a8fb9285460bd4f723",
        "source": "amazon-inspector",
        "versions": [
          "99.99.99"
        ]
      },
      {
        "id": "IN-MAL-2026-005005",
        "import_time": "2026-06-09T17:45:48.402258467Z",
        "modified_time": "2026-06-09T17:16:35Z",
        "sha256": "c2654b14fdaecfaf92b6ef7c34e19a59779d8997dc755dd1737a5d73abb0a410",
        "source": "amazon-inspector",
        "versions": [
          "99.99.99"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a7435b09e6ec064fe7ff0738becd8dd3445f1a73e97427a8fb9285460bd4f723)\n@oplus/obus-web-sdk-plugin-recovery@99.99.99 publishes to a likely-private internal scope at an artificially high version to win resolution against an organization\u0027s internal package. On `npm install`, scripts/postinstall.js executes automatically and: (1) reads os.userInfo().username, os.hostname(), and process.cwd(); (2) fetches the installer\u0027s public IP from api.ipify.org; (3) hex-encodes the collected fields and issues a DNS lookup of `\u003cpayload\u003e.xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun`, leaking the data via the subdomain label to an interactsh out-of-band C2; (4) base64-encodes the same payload and sends it as an `x-poc` header in an HTTPS GET to https://xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun/poc. The file labels itself a \u0027Dependency Confusion PoC - Bug Bounty Research,\u0027 but the runtime behavior is unconditional exfiltration of installer identity to a third-party endpoint, with no opt-out, on every install. Combined with the 99.99.99 version pin against the @oplus scope, this is the classic dependency-confusion attack shape and is harmful to any installer who resolves it.\n",
  "id": "MAL-2026-5426",
  "modified": "2026-06-09T17:47:54Z",
  "published": "2026-06-09T17:16:34Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/@oplus/obus-web-sdk-plugin-recovery/v/99.99.99"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in @oplus/obus-web-sdk-plugin-recovery (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.