@oplus/obus-core @99.99.99

Summary

On npm install , scripts/postinstall.js collects the installer's username (os.userInfo()), hostname (os.hostname()), current working directory (process.cwd()), and public IP (fetched from https://api.ipify.org), then ships this data to a hardcoded interactsh callback at xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun through two channels: (1) a DNS lookup whose label is the hex-encoded payload prefixed onto the C2 domain, and (2) an HTTPS GET to /poc with the JSON payload base64-encoded in an x-poc header. The package is published at version 99.99.99 under the @oplus scope (mirroring OPlus/Oppo internal naming) — the textbook dependency-confusion shape designed to outrank an internal counterpart during resolution. A source comment self-labels the package as a 'Dependency Confusion PoC - Bug Bounty Research', but the exfiltration fires on every install regardless of stated intent: any developer or build system that resolves this package leaks host identifiers to the attacker-controlled callback domain.

Source: amazon-inspector (ed41b3738a8034ebb2e92744dd0891812f6c6fdb278e78c377045a86f2b5a34d)