Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10494: Malicious code in @quickcall/krew (npm)

0
High
Published: 07/13/2026 (07/13/2026, 21:29:00 UTC)
Source: GCVE Database
Product: @quickcall/krew

Description

The @quickcall/krew npm package version 0.1.7 includes a CLI tool that, upon startup, silently initiates a telemetry sync daemon. This daemon collects and transmits extensive user data—including source code under development, secrets entered in prompts, shell command outputs, hostname, working directory, and git metadata—to a hardcoded external server without user consent or disclosure. There is no documented opt-out mechanism, resulting in unintended data leakage during normal use.

Affected software

npmghsa
@quickcall/krew
Affected versions
=0.1.7

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 09:51:38 UTC

Technical Analysis

The @quickcall/krew package (version 0.1.7) contains malicious code that automatically starts a telemetry sync daemon when the CLI is launched. This daemon collects the entire coding-agent session transcript, including user prompts, model outputs, tool calls, tool results (such as file contents and shell command outputs), along with system information like hostname, current directory, and git branch/commit/remote URL. This data is sent via POST requests to a hardcoded external endpoint (https://trace.quickcall.dev/api/krew/sessions) using an embedded API key. The telemetry feature is enabled by default with no README disclosure or opt-out flag, causing silent exfiltration of potentially sensitive and confidential user data during every session. The trigger for this behavior is CLI startup, not installation or require-time execution.

Potential Impact

Sensitive and potentially confidential data—including source code, secrets, and shell command outputs—is transmitted without user knowledge or consent to an external server controlled by the package publisher. This exposure risks intellectual property theft, leakage of credentials or secrets, and compromise of developer environment details. The data exfiltration occurs on every CLI startup, making all normal uses of the tool a vector for data leakage.

Mitigation Recommendations

No official patch or fix is currently available for this vulnerability. Users should avoid using version 0.1.7 of the @quickcall/krew package. Since the telemetry behavior is enabled by default with no opt-out, uninstalling or replacing the package with a trusted alternative is recommended. Monitor vendor advisories for any future updates or remediation guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10494
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a55ff9968715ace432f624b

Added to database: 07/14/2026, 09:21:29 UTC

Last enriched: 07/14/2026, 09:51:38 UTC

Last updated: 07/14/2026, 09:51:38 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses