MAL-2026-6993

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bytefaas-sdk/MAL-2026-6993.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6993
Published
2026-07-08T16:27:34Z
Modified
2026-07-08T17:16:45.357080212Z
Summary
Malicious code in bytefaas-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (07cb4f68cec68081ac4817ad2ae387e7b031d3377a74a74ecca59c5858940d08)

Package published at version 9999.0.0 under the name bytefaas-sdk, the canonical dependency-confusion shape used to shadow a private internal package of the same name. package.json declares a preinstall hook that runs callback.js. On any npm install, callback.js collects the installer's os.hostname(), os.userInfo().username, platform, and cwd and transmits them to a third-party Interactsh (oast.fun) endpoint via both a DNS lookup (encoded subdomain) and an HTTPS POST. The HTTPS request sets rejectUnauthorized: false, disabling TLS certificate verification on the beacon. The package's README self-describes as a bug-bounty canary against TikTok's internal build systems, but the exfiltration fires unconditionally against any installer whose resolver picks up this public 9999.0.0 release — including unrelated organizations and CI systems. Cover-story framing does not change that non-consenting installers' host identifiers leak to a third-party server.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "07cb4f68cec68081ac4817ad2ae387e7b031d3377a74a74ecca59c5858940d08",
            "id": "IN-MAL-2026-008119",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:32.09511727Z",
            "modified_time": "2026-07-08T16:27:34Z",
            "versions": [
                "9999.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / bytefaas-sdk

Package

Affected ranges

Affected versions

9999.*
9999.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "callback.js",
            "tlsh": "dc2140e460b699b51af0a3d2b0d5952246bbd200b64af7a1e18c02d8179f5f88231da5",
            "sha256": "067f8f30d289087f6914c1ac685d24391b542844c06dadfd210b54ac202b3d66"
        },
        {
            "path": "package.json",
            "tlsh": "d6f0aca06860553318f8839704b6a109b379ed1be818a94f96c2168e83be5b60377d8d",
            "sha256": "841300ea9df748f1fad515128c8e630cfbbee5590397698b020bc048f88961a8"
        }
    ],
    "package_integrity": [
        {
            "filename": "bytefaas-sdk-9999.0.0.tgz",
            "hashes": {
                "sha1": "f7ce30f712d4bcf9c878815e21a407c73265f910",
                "sha512_sri": "sha512-j+/RzzWTwxeLb5LrfWIgKZyG5ZfdH5+0wDDc9JVP4uLOlO6UFR96eiJYYFE1QP41YBAiTevZ/wTAmdIqvBNe9Q=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bytefaas-sdk/MAL-2026-6993.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]