VDB
KO

MAL-2026-6993

Malicious code in bytefaas-sdk (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (07cb4f68cec68081ac4817ad2ae387e7b031d3377a74a74ecca59c5858940d08) Package published at version 9999.0.0 under the name `bytefaas-sdk`, the canonical dependency-confusion shape used to shadow a private internal package of the same name. `package.json` declares a `preinstall` hook that runs `callback.js`. On any `npm install`, callback.js collects the installer's `os.hostname()`, `os.userInfo().username`, platform, and cwd and transmits them to a third-party Interactsh (oast.fun) endpoint via both a DNS lookup (encoded subdomain) and an HTTPS POST. The HTTPS request sets `rejectUnauthorized: false`, disabling TLS certificate verification on the beacon. The package's README self-describes as a bug-bounty canary against TikTok's internal build systems, but the exfiltration fires unconditionally against any installer whose resolver picks up this public 9999.0.0 release — including unrelated organizations and CI systems. Cover-story framing does not change that non-consenting installers' host identifiers leak to a third-party server.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / bytefaas-sdk

No fixed version published yet for bytefaas-sdk (npm). Pin to a known-safe version or switch to an alternative.

References