npm · Malicious package advisory
Malwarebytefaas-sdk
MAL-2026-6993
Malicious code in bytefaas-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (07cb4f68cec68081ac4817ad2ae387e7b031d3377a74a74ecca59c5858940d08) Package published at version 9999.0.0 under the name `bytefaas-sdk`, the canonical dependency-confusion shape used to shadow a private internal package of the same name. `package.json` declares a `preinstall` hook that runs `callback.js`. On any `npm install`, callback.js collects the installer's `os.hostname()`, `os.userInfo().username`, platform, and cwd and transmits them to a third-party Interactsh (oast.fun) endpoint via both a DNS lookup (encoded subdomain) and an HTTPS POST. The HTTPS request sets `rejectUnauthorized: false`, disabling TLS certificate verification on the beacon. The package's README self-describes as a bug-bounty canary against TikTok's internal build systems, but the exfiltration fires unconditionally against any installer whose resolver picks up this public 9999.0.0 release — including unrelated organizations and CI systems. Cover-story framing does not change that non-consenting installers' host identifiers leak to a third-party server.
Compromised versions (1)
- 9999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.