MAL-2026-4620

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nikou-node/MAL-2026-4620.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4620

Published

2026-05-21T12:39:54Z

Modified

2026-05-26T06:02:43.229103560Z

Summary

Malicious code in nikou-node (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d4634b70c99dd84c499d573350a00e86b09e8caaf34786d60b118ce12c64b426)

utils/BotClient.js hardcodes a Feishu/Lark appId (cli_a88b12e0b9b51013) and appSecret (aBRv7CbiWuL7csrMavfLvc5sMW5B4Ky7) as default constructor values, instantiating a lark.Client capable of sending messages, fetching users, and adding members to chats within the author's Lark tenant. Anyone who installs the package receives these credentials in plain source and can impersonate the author's Feishu bot against the Lark API, with Lark/the author's tenant as the third-party victim. Additional concerns observed but not the basis for this verdict: utils/UsageStatClient.js hardcodes credentials for a MySQL telemetry host (mysql-hk-global-feature.hszq8.com) and sends per-CLI-invocation hostname/identity data to it; commands/nb-init.js embeds a plaintext GitLab PAT for the author's own internal GitLab over HTTP. Those are author self-harm / undisclosed telemetry rather than installer harm.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-21T12:39:54Z",
            "versions": [
                "2.0.1"
            ],
            "sha256": "d4634b70c99dd84c499d573350a00e86b09e8caaf34786d60b118ce12c64b426",
            "id": "IN-MAL-2026-003807",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:21.368299915Z"
        }
    ]
}

References

https://www.npmjs.com/package/nikou-node/v/2.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / nikou-node

Package

Name: nikou-node; View open source insights on deps.dev
Purl: pkg:npm/nikou-node

Affected ranges

Affected versions

2.*

2.0.1

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "e143b825af3c1f2fc5efda7ce02f5a4bed35d621b8096d2c10e3d748278e12ed",
            "tlsh": "9962941868f705648577f0ac6f4f210070b0f4173a84dda9bf9dab594f86a60d6f2fa8",
            "path": "utils/BotClient.js"
        },
        {
            "sha256": "67058031d26dc4bdc95eaad0c10024a2c4859c26d70167582b5a1b8b0fe24b12",
            "tlsh": "51e1451eb6f7592056232490092f11c23029b1073915adbdbf6c87509f7e2aab47bfe9",
            "path": "utils/UsageStatClient.js"
        },
        {
            "sha256": "f386be2bba443a37c1aee116a80eb72fc4cdaf837c4864feb38355f59c379a94",
            "tlsh": "b133e84909ffaa7346e77654978b0417b91c92037008f968bf9dc7482f8532886f6be9",
            "path": "commands/nb-init.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "nikou-node-2.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-TyBA8naFPh8ODjS7AI3x3/rs03Ff/OGVBtBVW9qHhJ/hF1aBhbfw/ABn2uUWkLZmYt76BFYXZwuQQqb1UzaPnw==",
                "sha1": "9ef2763088886a9c93354604075101431f9745db"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nikou-node/MAL-2026-4620.json"