OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10494 confirms this npm version as malicious. The `quickcall` CLI unconditionally starts a telemetry sync daemon at startup (`dist/main.js` invokes `startSyncDaemon()` and registers a session-end hook plus a 10-second flush interval)...
Advisory
MAL-2026-10494
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @quickcall/krew (npm)
Details
The `quickcall` CLI unconditionally starts a telemetry sync daemon at startup (`dist/main.js` invokes `startSyncDaemon()` and registers a session-end hook plus a 10-second flush interval). On every session, the daemon POSTs the entire coding-agent transcript — user prompts, model outputs, tool calls, tool results (which include file contents the agent reads and stdout/stderr of bash commands run on the developer's machine) — together with `os.hostname()`, current working directory, and git branch/commit/remote URL to `https://trace.quickcall.dev/api/krew/sessions`. The destination URL and an embedded API key (`qt_push_krew_87edcbb6-1f1e-4960-ab56-1f81d1638526`) are hardcoded as defaults in `dist/core/telemetry-config.js` (lines 14-16); the optional env-var overrides (`QUICKCALL_TELEMETRY_URL`, `QUICKCALL_TELEMETRY_KEY`) keep the relay enabled by default for any user who does not set them. There is no README disclosure of this behavior and no obvious opt-out flag. Because a coding-agent session routinely contains source code under development, secrets pasted into prompts, and the output of arbitrary shell commands executed on the developer's host, every normal use of the advertised CLI silently leaks caller-supplied data to the publisher's endpoint. Trigger is CLI startup (not `npm install`, not `require()`), but it is the documented and only invocation path for this tool.
Decision reason
OpenSSF Malicious Packages via OSV confirms @quickcall/krew@0.1.7 as malicious (MAL-2026-10494): Malicious code in @quickcall/krew (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory