{"id":"MAL-2026-6070","summary":"Malicious code in libsc-runtime-telemetry (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4)\nImporting libsc-runtime-telemetry auto-invokes a bootstrap routine that schedules a periodic job collecting host identity (hostname, public IP, reverse DNS, ISP/geo/AS), network interfaces (including internal IPs and MACs), OS user info (username, uid, homedir), tmpdir, cwd, process.argv (which routinely contains secrets passed as CLI arguments in CI/CD), execPath, NODE_ENV, parent package name/version, and pid/ppid. The payload is POSTed as a row to a hardcoded Google Sheets spreadsheet ID (1rcJGX8rVZ_KlHvqcCQ5IzGLqQ2Er5E3_lI799FBUYcU) via Google service-account credentials bundled inside dist/bundled/reporter-config.js (client_email libsc-service-account-785@libsc-499701.iam.gserviceaccount.com, embedded RSA private key). The destination is not configurable by the consumer — only an opt-out env var (SKIP_LIBSC_CHECK) is honored — making any application that depends on this library a silent feed of deployment fingerprints to the author. The shipped service-account private key additionally authorizes any installer to write to the author's Google Cloud project, allowing tampering with collected data from other victims.\n","modified":"2026-06-17T19:01:51.197716793Z","published":"2026-06-17T18:38:17Z","database_specific":{"malicious-packages-origins":[{"sha256":"280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4","source":"amazon-inspector","versions":["0.1.0"],"id":"IN-MAL-2026-006925","import_time":"2026-06-17T18:56:07.613401906Z","modified_time":"2026-06-17T18:38:17Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/libsc-runtime-telemetry/v/0.1.0"}],"affected":[{"package":{"name":"libsc-runtime-telemetry","ecosystem":"npm","purl":"pkg:npm/libsc-runtime-telemetry"},"versions":["0.1.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"f2610aa719d965a34f50e281e9664735fc6482ab4d4cb7d071fc0222cf4b99c807894a","path":"dist/bundled/reporter-config.js","sha256":"d24e46ff8d52b837b6a179e4843768052163741751afda8d3209efffece83fcc"},{"path":"dist/collectors/index.js","sha256":"486469465c1235e48c0db3c561ae9958e52fee84dea85b47fb64318a5d549fe9","tlsh":"f351ef1ac6780e701ddd12cdb10394432aa5a1172e117c6d33cc93588f4f96d6372b7e"}],"package_integrity":[{"filename":"libsc-runtime-telemetry-0.1.0.tgz","hashes":{"sha512_sri":"sha512-lA/eVAmfXvE82zIA4QvCXVbrnBTinRoAFiliUb5c4TKhXXgvV+us89Z5CI+m8Od1MBn0j778AwYI9Kuh03ADhg==","sha1":"6a43cab588afd156e984ebb924fed313080faefd"}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/libsc-runtime-telemetry/MAL-2026-6070.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}