Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10416: Malicious code in kuaishou (npm)

0
High
Published: 07/13/2026 (07/13/2026, 06:17:05 UTC)
Source: GCVE Database
Product: kuaishou

Description

The npm package 'kuaishou' versions 99.9.9 and 99.9.10 contains malicious code in its 'prepare' lifecycle script. This script automatically runs on 'npm install' and exfiltrates host, user, platform identifiers, and the full environment variables to a hardcoded attacker-controlled ngrok tunnel. When run in GitHub Actions environments, it additionally steals OIDC ID tokens used for cloud credential access. This behavior is consistent with a dependency confusion or typosquatting attack targeting CI environments.

Affected software

npmghsa
kuaishou
Affected versions
=99.9.10=99.9.9

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 09:22:45 UTC

Technical Analysis

The malicious 'kuaishou' npm package versions 99.9.9 and 99.9.10 include a 'prepare' lifecycle script that executes automatically during installation. This script collects sensitive environment data including host, user, platform identifiers, and the entire process environment variables, then sends this data via HTTP POST to a hardcoded ngrok tunnel URL controlled by the attacker. In GitHub Actions CI environments, the script reads specific environment variables related to OIDC token requests, obtains an OIDC ID token, and includes it in the exfiltrated data. The stolen token can be used to obtain cloud credentials if trust relationships are configured, enabling potential cloud resource compromise. The versioning and hardcoded destination suggest this package is part of a dependency confusion or typosquatting campaign aimed at automated CI pipelines.

Potential Impact

Sensitive environment information and potentially cloud access tokens are exfiltrated to an attacker-controlled endpoint. This can lead to unauthorized access to cloud resources via stolen OIDC tokens, especially in CI environments like GitHub Actions. The compromise of cloud credentials can result in further escalation and resource misuse. The malicious code executes automatically on package installation, increasing the risk of widespread impact if the package is used in automated workflows.

Mitigation Recommendations

No official patch or remediation is currently documented for this malicious package. Users should avoid installing 'kuaishou' versions 99.9.9 and 99.9.10 from npm. Review and audit dependencies for typosquatting or dependency confusion risks, especially in CI/CD pipelines. Rotate any potentially exposed cloud credentials and tokens if this package was installed in your environment. Monitor for suspicious network traffic to unknown ngrok tunnels or unexpected environment variable access in CI environments.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10416
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a54ad9268715ace438f0503

Added to database: 07/13/2026, 09:19:14 UTC

Last enriched: 07/13/2026, 09:22:45 UTC

Last updated: 07/13/2026, 09:22:45 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses