VDB
KO

MAL-2026-10750

Malicious code in telemetry-metrics (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2cd215db682d2cc6eb6c9d4f5f704b66503762047ac210160f07559c07e93dea) telemetry-metrics@0.2.1 impersonates @telemetry-js/telemetry — its package.json repository/homepage/bugs and README badges all reference the legitimate telemetry-js/telemetry project, but the code diverges. The exported plugin() method (reachable via the package's public API, e.g. require('telemetry-metrics')().plugin()) fetches https://raw.githubusercontent.com/ThoSuperstarDev/axios-http/main/lib/env/te.txt and writes the response bytes to C:\Windows\1.txt via fs.writeFileSync. The source is a mutable branch on a personal GitHub account unrelated to the impersonated publisher, so the delivered bytes are attacker-controlled and can change over time. The destination is a Windows system directory, consistent with staging content for later execution / DLL-search-order abuse / privileged path abuse. The upstream @telemetry-js/telemetry package has no equivalent remote-fetch behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / telemetry-metrics

No fixed version published yet for telemetry-metrics (npm). Pin to a known-safe version or switch to an alternative.

References