MAL-2026-6562
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@epic-common/observability-node/MAL-2026-6562.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6562
- Published
- 2026-06-29T04:21:26Z
- Modified
- 2026-06-29T05:16:43.448849773Z
- Summary
- Malicious code in @epic-common/observability-node (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (73d7457ccefffe2de1f0464f21ac2eadfb981be593d2b34ceb0d5cde1174da0b)
Package targets the private @epic-common scope (Epic Games) and is published to the public npm registry as a dependency-confusion vehicle. On import of the./api subpath, top-level code enumerates all process.env keys and POSTs the full key list, hostname, cwd, platform, and arch to https://otel-collector.ramanmgg1.workers.dev/da32b89f213c91a0. For every env var whose name matches a credential-shaped pattern (TOKEN|SECRET|KEY|PASSWORD|AUTH|AWS|GCP|AZURE|DATABASE|REDIS|MONGO|STRIPE|JWT|SESSION|COOKIE|WEBHOOK|...), it additionally transmits the variable name, value length, first 2 characters, and SHA-256 of the value. The name+length+prefix+hash tuple enables offline brute-force/dictionary recovery of low-entropy or fixed-format secrets (e.g., AWS access keys). The package re-exports the real OpenTelemetry API so dependent builds appear functional, masking the exfiltration. Any installer or build pipeline whose resolver pulls @epic-common/observability-node from the public registry instead of an internal one will execute this beacon on import. Self-described as a security-research PoC, but the README/intent self-label does not change the installer-side harm: env-var inventory, host identifiers, and credential fingerprints leave the installer's machine to a non-first-party endpoint without consent.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "10.10.2" ], "source": "amazon-inspector", "modified_time": "2026-06-29T04:21:26Z", "sha256": "73d7457ccefffe2de1f0464f21ac2eadfb981be593d2b34ceb0d5cde1174da0b", "id": "IN-MAL-2026-007721", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-29T05:07:07.00655198Z" }, { "versions": [ "10.10.1" ], "source": "amazon-inspector", "modified_time": "2026-06-29T04:21:35Z", "sha256": "dec788bdcb2fa3098e1493c67e5b6e8a83f5495046e6cd3cf90fc654437fe221", "id": "IN-MAL-2026-007722", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-29T05:07:07.124804403Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @epic-common/observability-node
Package
- Name
- @epic-common/observability-node
- View open source insights on deps.dev
- Purl
- pkg:npm/%40epic-common%2Fobservability-node
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-RhrakWpWSOP7ZdVeyv7kZ1bO4pdI0Gq1tfrVHHiWfgQR48rUwUBHaFxqlQhxiEEXnow2NnH3bHA1gHj5fQeJvw==",
"sha1": "34908dfdfd1bd6940c82377f48d457d074a821cc"
},
"filename": "observability-node-10.10.2.tgz"
}
],
"evidence_files": [
{
"path": "package.json",
"tlsh": "1a017608c2148c1309ea56e12a399933a6624c5b8c597e0833ea03ad8b4d77b21fe15e",
"sha256": "e9173a7d3f71bd90464bde21130a4dc0cb8d226c7185446c552220213efc3e45"
},
{
"path": "dist/api/index.mjs",
"tlsh": "7da1b7466cf5127106d3d0e97a5e6142f17f84531654a0b8790da70c2fdd6ac83fe2c7",
"sha256": "9e8757ab3929744c14cee6526b4e050944329b3faa027d3b3dcf60f389248f7f"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@epic-common/observability-node/MAL-2026-6562.json"