npm · Malicious package advisory
Malwarelibsc-runtime-telemetry
MAL-2026-6070
Malicious code in libsc-runtime-telemetry (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4) Importing libsc-runtime-telemetry auto-invokes a bootstrap routine that schedules a periodic job collecting host identity (hostname, public IP, reverse DNS, ISP/geo/AS), network interfaces (including internal IPs and MACs), OS user info (username, uid, homedir), tmpdir, cwd, process.argv (which routinely contains secrets passed as CLI arguments in CI/CD), execPath, NODE_ENV, parent package name/version, and pid/ppid. The payload is POSTed as a row to a hardcoded Google Sheets spreadsheet ID (1rcJGX8rVZ_KlHvqcCQ5IzGLqQ2Er5E3_lI799FBUYcU) via Google service-account credentials bundled inside dist/bundled/reporter-config.js (client_email libsc-service-account-785@libsc-499701.iam.gserviceaccount.com, embedded RSA private key). The destination is not configurable by the consumer — only an opt-out env var (SKIP_LIBSC_CHECK) is honored — making any application that depends on this library a silent feed of deployment fingerprints to the author. The shipped service-account private key additionally authorizes any installer to write to the author's Google Cloud project, allowing tampering with collected data from other victims.
Compromised versions (1)
- 0.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.