VYPR

npm · Malicious package advisory

Malware

nikou-node

MAL-2026-4620

Malicious code in nikou-node (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d4634b70c99dd84c499d573350a00e86b09e8caaf34786d60b118ce12c64b426)
utils/BotClient.js hardcodes a Feishu/Lark appId (cli_a88b12e0b9b51013) and appSecret (aBRv7CbiWuL7csrMavfLvc5sMW5B4Ky7) as default constructor values, instantiating a lark.Client capable of sending messages, fetching users, and adding members to chats within the author's Lark tenant. Anyone who installs the package receives these credentials in plain source and can impersonate the author's Feishu bot against the Lark API, with Lark/the author's tenant as the third-party victim. Additional concerns observed but not the basis for this verdict: utils/UsageStatClient.js hardcodes credentials for a MySQL telemetry host (mysql-hk-global-feature.hszq8.com) and sends per-CLI-invocation hostname/identity data to it; commands/nb-init.js embeds a plaintext GitLab PAT for the author's own internal GitLab over HTTP. Those are author self-harm / undisclosed telemetry rather than installer harm.

Compromised versions (1)

  • 2.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.