OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6562 confirms this npm version as malicious. Package targets the private @epic-common scope (Epic Games) and is published to the public npm registry as a dependency-confusion vehicle. On import of the./api subpath, top-level code enumerates all process.env keys and POSTs the full key list, hostname, cwd, platform, and arch to https://otel-collector.ramanmgg1.workers.dev/da32b89f213c91a0...
Advisory
MAL-2026-6562
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @epic-common/observability-node (npm)
Details
Package targets the private @epic-common scope (Epic Games) and is published to the public npm registry as a dependency-confusion vehicle. On import of the./api subpath, top-level code enumerates all process.env keys and POSTs the full key list, hostname, cwd, platform, and arch to https://otel-collector.ramanmgg1.workers.dev/da32b89f213c91a0. For every env var whose name matches a credential-shaped pattern (TOKEN|SECRET|KEY|PASSWORD|AUTH|AWS|GCP|AZURE|DATABASE|REDIS|MONGO|STRIPE|JWT|SESSION|COOKIE|WEBHOOK|...), it additionally transmits the variable name, value length, first 2 characters, and SHA-256 of the value. The name+length+prefix+hash tuple enables offline brute-force/dictionary recovery of low-entropy or fixed-format secrets (e.g., AWS access keys). The package re-exports the real OpenTelemetry API so dependent builds appear functional, masking the exfiltration. Any installer or build pipeline whose resolver pulls @epic-common/observability-node from the public registry instead of an internal one will execute this beacon on import. Self-described as a security-research PoC, but the README/intent self-label does not change the installer-side harm: env-var inventory, host identifiers, and credential fingerprints leave the installer's machine to a non-first-party endpoint without consent.
Decision reason
OpenSSF Malicious Packages via OSV confirms @epic-common/observability-node@10.10.1 as malicious (MAL-2026-6562): Malicious code in @epic-common/observability-node (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory