-= Per source details. Do not edit below this line.=-
Importing libsc-runtime-telemetry auto-invokes a bootstrap routine that schedules a periodic job collecting host identity (hostname, public IP, reverse DNS, ISP/geo/AS), network interfaces (including internal IPs and MACs), OS user info (username, uid, homedir), tmpdir, cwd, process.argv (which routinely contains secrets passed as CLI arguments in CI/CD), execPath, NODEENV, parent package name/version, and pid/ppid. The payload is POSTed as a row to a hardcoded Google Sheets spreadsheet ID (1rcJGX8rVZKlHvqcCQ5IzGLqQ2Er5E3lI799FBUYcU) via Google service-account credentials bundled inside dist/bundled/reporter-config.js (clientemail libsc-service-account-785@libsc-499701.iam.gserviceaccount.com, embedded RSA private key). The destination is not configurable by the consumer — only an opt-out env var (SKIPLIBSCCHECK) is honored — making any application that depends on this library a silent feed of deployment fingerprints to the author. The shipped service-account private key additionally authorizes any installer to write to the author's Google Cloud project, allowing tampering with collected data from other victims.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4",
"versions": [
"0.1.0"
],
"import_time": "2026-06-17T18:56:07.613401906Z",
"id": "IN-MAL-2026-006925",
"modified_time": "2026-06-17T18:38:17Z"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "libsc-runtime-telemetry-0.1.0.tgz",
"hashes": {
"sha1": "6a43cab588afd156e984ebb924fed313080faefd",
"sha512_sri": "sha512-lA/eVAmfXvE82zIA4QvCXVbrnBTinRoAFiliUb5c4TKhXXgvV+us89Z5CI+m8Od1MBn0j778AwYI9Kuh03ADhg=="
}
}
],
"evidence_files": [
{
"tlsh": "f2610aa719d965a34f50e281e9664735fc6482ab4d4cb7d071fc0222cf4b99c807894a",
"sha256": "d24e46ff8d52b837b6a179e4843768052163741751afda8d3209efffece83fcc",
"path": "dist/bundled/reporter-config.js"
},
{
"tlsh": "f351ef1ac6780e701ddd12cdb10394432aa5a1172e117c6d33cc93588f4f96d6372b7e",
"sha256": "486469465c1235e48c0db3c561ae9958e52fee84dea85b47fb64318a5d549fe9",
"path": "dist/collectors/index.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/libsc-runtime-telemetry/MAL-2026-6070.json"