{"id":"MAL-2026-6993","summary":"Malicious code in bytefaas-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (07cb4f68cec68081ac4817ad2ae387e7b031d3377a74a74ecca59c5858940d08)\nPackage published at version 9999.0.0 under the name `bytefaas-sdk`, the canonical dependency-confusion shape used to shadow a private internal package of the same name. `package.json` declares a `preinstall` hook that runs `callback.js`. On any `npm install`, callback.js collects the installer's `os.hostname()`, `os.userInfo().username`, platform, and cwd and transmits them to a third-party Interactsh (oast.fun) endpoint via both a DNS lookup (encoded subdomain) and an HTTPS POST. The HTTPS request sets `rejectUnauthorized: false`, disabling TLS certificate verification on the beacon. The package's README self-describes as a bug-bounty canary against TikTok's internal build systems, but the exfiltration fires unconditionally against any installer whose resolver picks up this public 9999.0.0 release — including unrelated organizations and CI systems. Cover-story framing does not change that non-consenting installers' host identifiers leak to a third-party server.\n","modified":"2026-07-08T17:16:45.357080212Z","published":"2026-07-08T16:27:34Z","database_specific":{"malicious-packages-origins":[{"versions":["9999.0.0"],"modified_time":"2026-07-08T16:27:34Z","source":"amazon-inspector","import_time":"2026-07-08T17:01:32.09511727Z","id":"IN-MAL-2026-008119","sha256":"07cb4f68cec68081ac4817ad2ae387e7b031d3377a74a74ecca59c5858940d08"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bytefaas-sdk/v/9999.0.0"}],"affected":[{"package":{"name":"bytefaas-sdk","ecosystem":"npm","purl":"pkg:npm/bytefaas-sdk"},"versions":["9999.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"bytefaas-sdk-9999.0.0.tgz","hashes":{"sha1":"f7ce30f712d4bcf9c878815e21a407c73265f910","sha512_sri":"sha512-j+/RzzWTwxeLb5LrfWIgKZyG5ZfdH5+0wDDc9JVP4uLOlO6UFR96eiJYYFE1QP41YBAiTevZ/wTAmdIqvBNe9Q=="}}],"evidence_files":[{"path":"callback.js","sha256":"067f8f30d289087f6914c1ac685d24391b542844c06dadfd210b54ac202b3d66","tlsh":"dc2140e460b699b51af0a3d2b0d5952246bbd200b64af7a1e18c02d8179f5f88231da5"},{"path":"package.json","tlsh":"d6f0aca06860553318f8839704b6a109b379ed1be818a94f96c2168e83be5b60377d8d","sha256":"841300ea9df748f1fad515128c8e630cfbbee5590397698b020bc048f88961a8"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bytefaas-sdk/MAL-2026-6993.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}