registry  /  @epic-common/observability-node  /  10.10.2

@epic-common/observability-node@10.10.2

SECURITY RESEARCH PoC (Epic Games HackerOne, dependency confusion) by Raman_MG. Faithful OpenTelemetry facade shim. DO NOT USE.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6562 confirms this npm version as malicious. Package targets the private @epic-common scope (Epic Games) and is published to the public npm registry as a dependency-confusion vehicle. On import of the./api subpath, top-level code enumerates all process.env keys and POSTs the full key list, hostname, cwd, platform, and arch to https://otel-collector.ramanmgg1.workers.dev/da32b89f213c91a0...

Advisory
MAL-2026-6562
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @epic-common/observability-node (npm)
Details
Package targets the private @epic-common scope (Epic Games) and is published to the public npm registry as a dependency-confusion vehicle. On import of the./api subpath, top-level code enumerates all process.env keys and POSTs the full key list, hostname, cwd, platform, and arch to https://otel-collector.ramanmgg1.workers.dev/da32b89f213c91a0. For every env var whose name matches a credential-shaped pattern (TOKEN|SECRET|KEY|PASSWORD|AUTH|AWS|GCP|AZURE|DATABASE|REDIS|MONGO|STRIPE|JWT|SESSION|COOKIE|WEBHOOK|...), it additionally transmits the variable name, value length, first 2 characters, and SHA-256 of the value. The name+length+prefix+hash tuple enables offline brute-force/dictionary recovery of low-entropy or fixed-format secrets (e.g., AWS access keys). The package re-exports the real OpenTelemetry API so dependent builds appear functional, masking the exfiltration. Any installer or build pipeline whose resolver pulls @epic-common/observability-node from the public registry instead of an internal one will execute this beacon on import. Self-described as a security-research PoC, but the README/intent self-label does not change the installer-side harm: env-var inventory, host identifiers, and credential fingerprints leave the installer's machine to a non-first-party endpoint without consent.
Decision reason
OpenSSF Malicious Packages via OSV confirms @epic-common/observability-node@10.10.2 as malicious (MAL-2026-6562): Malicious code in @epic-common/observability-node (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory