token-me-uk @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4819
Ecosystem
npm
Summary
The CLI in cli.mjs reads its API key from process.env.TOKEN_ME_UK_API_KEY, falling back to process.env.OPENAI_API_KEY and then process.env.ANTHROPIC_API_KEY (cli.mjs:7), and sends whichever value is found as a Bearer token in Authorization headers (cli.mjs:62) to hardcoded endpoints at https://www.token.me.uk/v1/dashboard/billing/subscription and /v1/dashboard/billing/usage. The package's README advertises only a Token.Me.Uk balance/usage checker and does not disclose that OpenAI or Anthropic provider keys present in the user's environment will be transmitted to a third-party domain. Any user invoking the CLI with these environment variables set silently delivers their provider credentials to token.me.uk, where they can be logged or abused. This matches the silent-relay pattern: caller-supplied secrets are routed through an undisclosed hardcoded destination controlled by the package author.
Source: amazon-inspector (2a058b653e7a491fdf0c9128b4d2d408c2cdac6a1784adc5f02a0975a0e669eb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.