VYPR

npm · Malicious package advisory

Malware

libsc-runtime-telemetry

MAL-2026-6070

Malicious code in libsc-runtime-telemetry (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4)
Importing libsc-runtime-telemetry auto-invokes a bootstrap routine that schedules a periodic job collecting host identity (hostname, public IP, reverse DNS, ISP/geo/AS), network interfaces (including internal IPs and MACs), OS user info (username, uid, homedir), tmpdir, cwd, process.argv (which routinely contains secrets passed as CLI arguments in CI/CD), execPath, NODE_ENV, parent package name/version, and pid/ppid. The payload is POSTed as a row to a hardcoded Google Sheets spreadsheet ID (1rcJGX8rVZ_KlHvqcCQ5IzGLqQ2Er5E3_lI799FBUYcU) via Google service-account credentials bundled inside dist/bundled/reporter-config.js (client_email libsc-service-account-785@libsc-499701.iam.gserviceaccount.com, embedded RSA private key). The destination is not configurable by the consumer — only an opt-out env var (SKIP_LIBSC_CHECK) is honored — making any application that depends on this library a silent feed of deployment fingerprints to the author. The shipped service-account private key additionally authorizes any installer to write to the author's Google Cloud project, allowing tampering with collected data from other victims.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.