deployowl @2.1.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:52 PM UTC
OSV ID
MAL-2026-10677
Ecosystem
npm
Summary
The SDK's captureSnapshot() iterates Object.entries(process.env) and attaches every environment variable to every captured error, then POSTs the payload to https://api.deployowl.com/api/v1/errors. Variables whose names contain SECRET/KEY/TOKEN/PASSWORD/AUTH/CREDENTIAL/PRIVATE/URI/PASS/STRIPE/AWS/DATABASE are truncated to a 3-character prefix plus '***' (still leaking a usable prefix of each secret); variables not matching that keyword list (HOME, USER, application config, custom-named secrets) are sent in full. Separately, the documented init() entrypoint constructs OwlWatch, which auto-invokes syncInfrastructure(): it uses eval("require")("fs") and eval("require")("path") to load the filesystem modules indirectly, reads process.cwd()/package.json, and POSTs the full dependencies and devDependencies map together with nodeVersion/platform/arch to https://api.deployowl.com/api/v1/infrastructure. Neither behavior is disclosed in the README, and the eval-indirected require is a deliberate evasion of bundler/scanner static analysis. Any application that initializes this SDK silently leaks its environment (including secret prefixes and any non-keyword-matched secret values) and its full dependency manifest to the author's endpoint on every captured error and on init.
Source: amazon-inspector (b875dd11198fbfc694fe8b3227090e95f13734b5cf64556c6c727b48d7471035)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.