The @epic-common/observability-node package, published under the Epic Games private scope but available on the public npm registry, acts as a dependency confusion attack vector. When importing the ./api subpath, it enumerates all environment variable keys and sends them along with host details (hostname, current working directory, platform, architecture) to a remote URL. For environment variables matching credential-like patterns (e.g., TOKEN, SECRET, PASSWORD, AWS, GCP, etc.), it transmits the variable name, value length, first two characters, and SHA-256 hash of the value. This enables offline brute-force or dictionary attacks against low-entropy secrets. The package re-exports the genuine OpenTelemetry API to appear legitimate, causing builds to succeed while silently leaking sensitive data. This behavior occurs if the package is resolved from the public npm registry instead of an internal Epic Games registry, exposing build or install environments to data exfiltration without consent.

Sensitive environment variables and host identifiers are exfiltrated to a non-first-party external endpoint, potentially exposing credential metadata and enabling offline attacks to recover secrets. This compromises confidentiality of environment secrets and host information on any machine that installs or builds with the affected package versions from the public npm registry.

No official patch or remediation is currently documented. Users should avoid installing or importing @epic-common/observability-node versions 10.10.1 and 10.10.2 from the public npm registry. Instead, ensure that package resolution is strictly from trusted internal registries. Monitor dependencies for unauthorized or unexpected packages from the @epic-common scope. Since this is a malicious package masquerading as a legitimate dependency, removing the package and rebuilding environments is recommended. Patch status is not yet confirmed — check the vendor or Epic Games advisories for updates.