@iana-rzms/bff-sdk @1.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10403
Ecosystem
npm
Summary
Package published to the public @iana-rzms scope as a dependency-confusion squat targeting an internal ICANN namespace. The preinstall lifecycle script runs automatically on npm install and collects the installer's hostname, OS username, and current working directory, base64-encodes them, and transmits them via HTTPS (port 443), HTTP (port 80), and DNS lookup to the hardcoded external host k4pzh6vg78iub3vxqhmml2q8wz2qqge5.oastify.com (a Burp Collaborator subdomain). The self-described 'authorized PoC' framing in the README does not change installer-side impact: any build that resolves @iana-rzms/bff-sdk from the public registry executes attacker/researcher-controlled code at install time and leaks host identity to a non-first-party collector.
Source: amazon-inspector (b7adbad0c719aec3345c5aa16b3435e8621f4a81b5a0e0cf0e0d979509e5d21f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.