registry  /  bytefaas-sdk  /  9999.0.0

bytefaas-sdk@9999.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6993 confirms this npm version as malicious. Package published at version 9999.0.0 under the name `bytefaas-sdk`, the canonical dependency-confusion shape used to shadow a private internal package of the same name. `package.json` declares a `preinstall` hook that runs `callback.js`. On any `npm install`, callback.js collects the installer's `os.hostname()`, `os.userInfo().username`, platform, and cwd and transmits them to a third-party Interactsh (oast.fun)...

Advisory
MAL-2026-6993
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in bytefaas-sdk (npm)
Details
Package published at version 9999.0.0 under the name `bytefaas-sdk`, the canonical dependency-confusion shape used to shadow a private internal package of the same name. `package.json` declares a `preinstall` hook that runs `callback.js`. On any `npm install`, callback.js collects the installer's `os.hostname()`, `os.userInfo().username`, platform, and cwd and transmits them to a third-party Interactsh (oast.fun) endpoint via both a DNS lookup (encoded subdomain) and an HTTPS POST. The HTTPS request sets `rejectUnauthorized: false`, disabling TLS certificate verification on the beacon. The package's README self-describes as a bug-bounty canary against TikTok's internal build systems, but the exfiltration fires unconditionally against any installer whose resolver picks up this public 9999.0.0 release — including unrelated organizations and CI systems. Cover-story framing does not change that non-consenting installers' host identifiers leak to a third-party server.
Decision reason
OpenSSF Malicious Packages via OSV confirms bytefaas-sdk@9999.0.0 as malicious (MAL-2026-6993): Malicious code in bytefaas-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory