registry  /  deployowl  /  2.1.0

deployowl@2.1.0

Error tracking SDK for DeployOwl

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10677 confirms this npm version as malicious. The SDK's captureSnapshot() iterates Object.entries(process.env) and attaches every environment variable to every captured error, then POSTs the payload to https://api.deployowl.com/api/v1/errors...

Advisory
MAL-2026-10677
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in deployowl (npm)
Details
The SDK's captureSnapshot() iterates Object.entries(process.env) and attaches every environment variable to every captured error, then POSTs the payload to https://api.deployowl.com/api/v1/errors. Variables whose names contain SECRET/KEY/TOKEN/PASSWORD/AUTH/CREDENTIAL/PRIVATE/URI/PASS/STRIPE/AWS/DATABASE are truncated to a 3-character prefix plus '***' (still leaking a usable prefix of each secret); variables not matching that keyword list (HOME, USER, application config, custom-named secrets) are sent in full. Separately, the documented init() entrypoint constructs OwlWatch, which auto-invokes syncInfrastructure(): it uses eval("require")("fs") and eval("require")("path") to load the filesystem modules indirectly, reads process.cwd()/package.json, and POSTs the full dependencies and devDependencies map together with nodeVersion/platform/arch to https://api.deployowl.com/api/v1/infrastructure. Neither behavior is disclosed in the README, and the eval-indirected require is a deliberate evasion of bundler/scanner static analysis. Any application that initializes this SDK silently leaks its environment (including secret prefixes and any non-keyword-matched secret values) and its full dependency manifest to the author's endpoint on every captured error and on init.
Decision reason
OpenSSF Malicious Packages via OSV confirms deployowl@2.1.0 as malicious (MAL-2026-10677): Malicious code in deployowl (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory