{"id":"MAL-2026-6562","summary":"Malicious code in @epic-common/observability-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (73d7457ccefffe2de1f0464f21ac2eadfb981be593d2b34ceb0d5cde1174da0b)\nPackage targets the private @epic-common scope (Epic Games) and is published to the public npm registry as a dependency-confusion vehicle. On import of the./api subpath, top-level code enumerates all process.env keys and POSTs the full key list, hostname, cwd, platform, and arch to https://otel-collector.ramanmgg1.workers.dev/da32b89f213c91a0. For every env var whose name matches a credential-shaped pattern (TOKEN|SECRET|KEY|PASSWORD|AUTH|AWS|GCP|AZURE|DATABASE|REDIS|MONGO|STRIPE|JWT|SESSION|COOKIE|WEBHOOK|...), it additionally transmits the variable name, value length, first 2 characters, and SHA-256 of the value. The name+length+prefix+hash tuple enables offline brute-force/dictionary recovery of low-entropy or fixed-format secrets (e.g., AWS access keys). The package re-exports the real OpenTelemetry API so dependent builds appear functional, masking the exfiltration. Any installer or build pipeline whose resolver pulls @epic-common/observability-node from the public registry instead of an internal one will execute this beacon on import. Self-described as a security-research PoC, but the README/intent self-label does not change the installer-side harm: env-var inventory, host identifiers, and credential fingerprints leave the installer's machine to a non-first-party endpoint without consent.\n","modified":"2026-06-29T05:16:43.448849773Z","published":"2026-06-29T04:21:26Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007721","import_time":"2026-06-29T05:07:07.00655198Z","modified_time":"2026-06-29T04:21:26Z","versions":["10.10.2"],"sha256":"73d7457ccefffe2de1f0464f21ac2eadfb981be593d2b34ceb0d5cde1174da0b","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"source":"amazon-inspector"},{"id":"IN-MAL-2026-007722","import_time":"2026-06-29T05:07:07.124804403Z","modified_time":"2026-06-29T04:21:35Z","versions":["10.10.1"],"sha256":"dec788bdcb2fa3098e1493c67e5b6e8a83f5495046e6cd3cf90fc654437fe221","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@epic-common/observability-node/v/10.10.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@epic-common/observability-node/v/10.10.1"}],"affected":[{"package":{"name":"@epic-common/observability-node","ecosystem":"npm","purl":"pkg:npm/%40epic-common%2Fobservability-node"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["10.10.2","10.10.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"1a017608c2148c1309ea56e12a399933a6624c5b8c597e0833ea03ad8b4d77b21fe15e","path":"package.json","sha256":"e9173a7d3f71bd90464bde21130a4dc0cb8d226c7185446c552220213efc3e45"},{"tlsh":"7da1b7466cf5127106d3d0e97a5e6142f17f84531654a0b8790da70c2fdd6ac83fe2c7","path":"dist/api/index.mjs","sha256":"9e8757ab3929744c14cee6526b4e050944329b3faa027d3b3dcf60f389248f7f"}],"package_integrity":[{"filename":"observability-node-10.10.2.tgz","hashes":{"sha512_sri":"sha512-RhrakWpWSOP7ZdVeyv7kZ1bO4pdI0Gq1tfrVHHiWfgQR48rUwUBHaFxqlQhxiEEXnow2NnH3bHA1gHj5fQeJvw==","sha1":"34908dfdfd1bd6940c82377f48d457d074a821cc"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@epic-common/observability-node/MAL-2026-6562.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}