VDB
KO

MAL-2026-10486

Malicious code in @omniwatch-wick/cli (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e77b823fd6a050959af05f24e75f87cad447ab83a65c31349c7a559502af278c) index.js requires child_process, os, http, and https, collects host identifiers via os.userInfo(), hostname, and process.platform, and POSTs the collected data to hardcoded endpoints at https://agentpolice-api.vedantn06soni.workers.dev (references at lines 17 and 268) and https://night-watch-indol.vercel.app (line 195). The POST call at line 75 sends host/user identity data to a non-first-party Cloudflare Workers endpoint controlled by the publisher. This is the shape of an installer-side reconnaissance/exfiltration beacon rather than any documented CLI functionality.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @omniwatch-wick/cli

No fixed version published yet for @omniwatch-wick/cli (npm). Pin to a known-safe version or switch to an alternative.

References