npm

kuaishou @99.9.11

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC

Malicious

OSV ID

MAL-2026-10416

Ecosystem

npm

Summary

The package's prepare lifecycle script, which runs automatically on npm install , collects host, user, and platform identifiers along with the full process.env and POSTs them to a hardcoded ngrok tunnel at crabbing-thong-overhung.ngrok-free.dev (path /?cross_os_cloud=1 ). When executed in GitHub Actions, it additionally reads ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN, requests a GitHub Actions OIDC ID token, and includes that token in the exfiltrated payload. The version number (99.9.9) and hardcoded attacker-controlled tunnel destination are consistent with a dependency-confusion / typosquat lure targeting CI environments; the OIDC token can be exchanged for cloud credentials via configured trust relationships.

Source: amazon-inspector (fd1d5daf09cc7bfff164e60bf5abd0a1b374b5bb616f0a78cac8f6c6ea613608)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.