MAL-2026-6562

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (73d7457ccefffe2de1f0464f21ac2eadfb981be593d2b34ceb0d5cde1174da0b) Package targets the private @epic-common scope (Epic Games) and is published to the public npm registry as a dependency-confusion vehicle. On import of the./api subpath, top-level code enumerates all process.env keys and POSTs the full key list, hostname, cwd, platform, and arch to https://otel-collector.ramanmgg1.workers.dev/da32b89f213c91a0. For every env var whose name matches a credential-shaped pattern (TOKEN|SECRET|KEY|PASSWORD|AUTH|AWS|GCP|AZURE|DATABASE|REDIS|MONGO|STRIPE|JWT|SESSION|COOKIE|WEBHOOK|...), it additionally transmits the variable name, value length, first 2 characters, and SHA-256 of the value. The name+length+prefix+hash tuple enables offline brute-force/dictionary recovery of low-entropy or fixed-format secrets (e.g., AWS access keys). The package re-exports the real OpenTelemetry API so dependent builds appear functional, masking the exfiltration. Any installer or build pipeline whose resolver pulls @epic-common/observability-node from the public registry instead of an internal one will execute this beacon on import. Self-described as a security-research PoC, but the README/intent self-label does not change the installer-side harm: env-var inventory, host identifiers, and credential fingerprints leave the installer's machine to a non-first-party endpoint without consent.