VDB
KO

MAL-2026-10416

Malicious code in kuaishou (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fd1d5daf09cc7bfff164e60bf5abd0a1b374b5bb616f0a78cac8f6c6ea613608) The package's `prepare` lifecycle script, which runs automatically on `npm install`, collects host, user, and platform identifiers along with the full `process.env` and POSTs them to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev (path `/?cross_os_cloud=1`). When executed in GitHub Actions, it additionally reads ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN, requests a GitHub Actions OIDC ID token, and includes that token in the exfiltrated payload. The version number (99.9.9) and hardcoded attacker-controlled tunnel destination are consistent with a dependency-confusion / typosquat lure targeting CI environments; the OIDC token can be exchanged for cloud credentials via configured trust relationships.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / kuaishou

No fixed version published yet for kuaishou (npm). Pin to a known-safe version or switch to an alternative.

References