MAL-2026-10677

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/deployowl/MAL-2026-10677.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10677
Published
2026-07-15T11:28:20Z
Modified
2026-07-15T11:49:25.700874157Z
Summary
Malicious code in deployowl (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b875dd11198fbfc694fe8b3227090e95f13734b5cf64556c6c727b48d7471035)

The SDK's captureSnapshot() iterates Object.entries(process.env) and attaches every environment variable to every captured error, then POSTs the payload to https://api.deployowl.com/api/v1/errors. Variables whose names contain SECRET/KEY/TOKEN/PASSWORD/AUTH/CREDENTIAL/PRIVATE/URI/PASS/STRIPE/AWS/DATABASE are truncated to a 3-character prefix plus '***' (still leaking a usable prefix of each secret); variables not matching that keyword list (HOME, USER, application config, custom-named secrets) are sent in full. Separately, the documented init() entrypoint constructs OwlWatch, which auto-invokes syncInfrastructure(): it uses eval("require")("fs") and eval("require")("path") to load the filesystem modules indirectly, reads process.cwd()/package.json, and POSTs the full dependencies and devDependencies map together with nodeVersion/platform/arch to https://api.deployowl.com/api/v1/infrastructure. Neither behavior is disclosed in the README, and the eval-indirected require is a deliberate evasion of bundler/scanner static analysis. Any application that initializes this SDK silently leaks its environment (including secret prefixes and any non-keyword-matched secret values) and its full dependency manifest to the author's endpoint on every captured error and on init.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010676",
            "import_time": "2026-07-15T11:33:40.246107276Z",
            "sha256": "b875dd11198fbfc694fe8b3227090e95f13734b5cf64556c6c727b48d7471035",
            "versions": [
                "2.1.0"
            ],
            "modified_time": "2026-07-15T11:28:20Z"
        }
    ]
}
References
Credits

Affected packages

npm / deployowl

Package

Affected ranges

Affected versions

2.*
2.1.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/deployowl/MAL-2026-10677.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "deployowl-2.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-fYj2ChsHFZeOtkerDzBNyogQNUUhQck+rCFTfb5wV/FYMLsrBhflmFbAJXnm70Iuq6N7u2gsEZlmqrcUYbFU1A==",
                "sha1": "caca365409b219b0f009d72a6f6a0ae1d1102af0"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "ce7da957913b0be4e8dcad76dac2493f5ec02af512dc3c12a33274756b080627",
            "tlsh": "37d196945b6ea83a19f41630e40463027ae65fa1151b803c7e3898fe76dcc6cb1a9f3d"
        }
    ]
}