kuaishou @99.9.10
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10416
Ecosystem
npm
Summary
The package's prepare lifecycle script, which runs automatically on npm install , collects host, user, and platform identifiers along with the full process.env and POSTs them to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev (path /?cross_os_cloud=1 ). When executed in GitHub Actions, it additionally reads ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN, requests a GitHub Actions OIDC ID token, and includes that token in the exfiltrated payload. The version number (99.9.9) and hardcoded attacker-controlled tunnel destination are consistent with a dependency-confusion / typosquat lure targeting CI environments; the OIDC token can be exchanged for cloud credentials via configured trust relationships.
Source: amazon-inspector (fd1d5daf09cc7bfff164e60bf5abd0a1b374b5bb616f0a78cac8f6c6ea613608)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.