MAL-2026-10677: Malicious code in deployowl (npm)
The deployowl npm package version 2.1.0 contains malicious code that silently leaks environment variables and dependency information to a remote endpoint. The SDK captures all environment variables on error and sends them to https://api.deployowl.com/api/v1/errors, truncating only variables with certain keywords but sending others in full. Additionally, on initialization, it reads and sends the full dependency manifest and system details to the same endpoint. This behavior is not disclosed in the documentation and uses evasion techniques to avoid static analysis detection.
AI Analysis
Technical Summary
The deployowl npm package version 2.1.0 includes a malicious SDK that captures all environment variables from process.env and sends them to a remote server on error events, truncating only variables whose names contain certain sensitive keywords but sending others fully, potentially exposing secrets. On initialization, it also reads the current working directory's package.json to extract dependencies and system information, sending this data to the attacker's endpoint. The use of eval-indirected require calls is a deliberate attempt to evade static code analysis tools. This results in silent exfiltration of environment secrets and dependency data without user consent or disclosure.
Potential Impact
Applications using deployowl version 2.1.0 leak sensitive environment variables, including secret prefixes and full values of variables not matching specific keywords, to an external attacker-controlled server. Additionally, the full dependency manifest and system information are exfiltrated on initialization. This exposure can lead to credential compromise, intellectual property leakage, and increased attack surface due to knowledge of dependencies and environment.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove or avoid using deployowl version 2.1.0. Monitor for any unauthorized data exfiltration and rotate any potentially exposed secrets. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
MAL-2026-10677: Malicious code in deployowl (npm)
Description
The deployowl npm package version 2.1.0 contains malicious code that silently leaks environment variables and dependency information to a remote endpoint. The SDK captures all environment variables on error and sends them to https://api.deployowl.com/api/v1/errors, truncating only variables with certain keywords but sending others in full. Additionally, on initialization, it reads and sends the full dependency manifest and system details to the same endpoint. This behavior is not disclosed in the documentation and uses evasion techniques to avoid static analysis detection.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The deployowl npm package version 2.1.0 includes a malicious SDK that captures all environment variables from process.env and sends them to a remote server on error events, truncating only variables whose names contain certain sensitive keywords but sending others fully, potentially exposing secrets. On initialization, it also reads the current working directory's package.json to extract dependencies and system information, sending this data to the attacker's endpoint. The use of eval-indirected require calls is a deliberate attempt to evade static code analysis tools. This results in silent exfiltration of environment secrets and dependency data without user consent or disclosure.
Potential Impact
Applications using deployowl version 2.1.0 leak sensitive environment variables, including secret prefixes and full values of variables not matching specific keywords, to an external attacker-controlled server. Additionally, the full dependency manifest and system information are exfiltrated on initialization. This exposure can lead to credential compromise, intellectual property leakage, and increased attack surface due to knowledge of dependencies and environment.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove or avoid using deployowl version 2.1.0. Monitor for any unauthorized data exfiltration and rotate any potentially exposed secrets. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10677
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577eca68715ace43b3ec44
Added to database: 07/15/2026, 12:36:26 UTC
Last enriched: 07/15/2026, 12:39:29 UTC
Last updated: 07/16/2026, 03:34:58 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.