@oplus/obus-web-sdk @99.99.99

Summary

On npm install , the package's scripts/postinstall.js collects the installer's username ( os.userInfo() ), hostname ( os.hostname() ), current working directory ( process.cwd() ), and public IP (fetched from https://api.ipify.org ), then exfiltrates the data to a hardcoded interactsh C2 subdomain xjaipnfhcpawuhzlgzkzo1ak3aai9m873.oast.fun through two channels: a DNS lookup with the hex-encoded payload as a subdomain, and an HTTPS GET to /poc carrying the data base64-encoded in an x-poc header. The package uses the @oplus scope (impersonating OPlus/Oppo internal namespaces) and is published at version 99.99.99 — the canonical dependency-confusion pattern designed to outrank any legitimate internal release during resolution. The in-source comment framing this as a benign PoC does not change the installer-side harm: any build that resolves @oplus/obus-web-sdk against the public registry will leak host/user/IP/cwd to attacker infrastructure.

Source: amazon-inspector (956ecc19633177f7ef9b458e6407ffbba6c8366688249c07bfd7f3c8e85c17a9)