nikou-node @2.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4620
Ecosystem
npm
Summary
utils/BotClient.js hardcodes a Feishu/Lark appId (cli_a88b12e0b9b51013) and appSecret (aBRv7CbiWuL7csrMavfLvc5sMW5B4Ky7) as default constructor values, instantiating a lark.Client capable of sending messages, fetching users, and adding members to chats within the author's Lark tenant. Anyone who installs the package receives these credentials in plain source and can impersonate the author's Feishu bot against the Lark API, with Lark/the author's tenant as the third-party victim. Additional concerns observed but not the basis for this verdict: utils/UsageStatClient.js hardcodes credentials for a MySQL telemetry host (mysql-hk-global-feature.hszq8.com) and sends per-CLI-invocation hostname/identity data to it; commands/nb-init.js embeds a plaintext GitLab PAT for the author's own internal GitLab over HTTP. Those are author self-harm / undisclosed telemetry rather than installer harm.
Source: amazon-inspector (d4634b70c99dd84c499d573350a00e86b09e8caaf34786d60b118ce12c64b426)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.