MAL-2026-10403
Malicious code in @iana-rzms/bff-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b7adbad0c719aec3345c5aa16b3435e8621f4a81b5a0e0cf0e0d979509e5d21f) Package published to the public @iana-rzms scope as a dependency-confusion squat targeting an internal ICANN namespace. The preinstall lifecycle script runs automatically on npm install and collects the installer's hostname, OS username, and current working directory, base64-encodes them, and transmits them via HTTPS (port 443), HTTP (port 80), and DNS lookup to the hardcoded external host k4pzh6vg78iub3vxqhmml2q8wz2qqge5.oastify.com (a Burp Collaborator subdomain). The self-described 'authorized PoC' framing in the README does not change installer-side impact: any build that resolves @iana-rzms/bff-sdk from the public registry executes attacker/researcher-controlled code at install time and leaks host identity to a non-first-party collector.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @iana-rzms/bff-sdk (npm). Pin to a known-safe version or switch to an alternative.