npm

bytefaas-sdk @9999.0.0

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6993

Ecosystem

npm

Summary

Package published at version 9999.0.0 under the name bytefaas-sdk , the canonical dependency-confusion shape used to shadow a private internal package of the same name. package.json declares a preinstall hook that runs callback.js . On any npm install , callback.js collects the installer's os.hostname() , os.userInfo().username , platform, and cwd and transmits them to a third-party Interactsh (oast.fun) endpoint via both a DNS lookup (encoded subdomain) and an HTTPS POST. The HTTPS request sets rejectUnauthorized: false , disabling TLS certificate verification on the beacon. The package's README self-describes as a bug-bounty canary against TikTok's internal build systems, but the exfiltration fires unconditionally against any installer whose resolver picks up this public 9999.0.0 release — including unrelated organizations and CI systems. Cover-story framing does not change that non-consenting installers' host identifiers leak to a third-party server.

Source: amazon-inspector (07cb4f68cec68081ac4817ad2ae387e7b031d3377a74a74ecca59c5858940d08)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.