npm

telemetry-metrics @0.2.1

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10750

Ecosystem

npm

Summary

telemetry-metrics@0.2.1 impersonates @telemetry-js/telemetry — its package.json repository/homepage/bugs and README badges all reference the legitimate telemetry-js/telemetry project, but the code diverges. The exported plugin() method (reachable via the package's public API, e.g. require('telemetry-metrics')().plugin()) fetches https://raw.githubusercontent.com/ThoSuperstarDev/axios-http/main/lib/env/te.txt and writes the response bytes to C:\Windows\1.txt via fs.writeFileSync. The source is a mutable branch on a personal GitHub account unrelated to the impersonated publisher, so the delivered bytes are attacker-controlled and can change over time. The destination is a Windows system directory, consistent with staging content for later execution / DLL-search-order abuse / privileged path abuse. The upstream @telemetry-js/telemetry package has no equivalent remote-fetch behavior.

Source: amazon-inspector (2cd215db682d2cc6eb6c9d4f5f704b66503762047ac210160f07559c07e93dea)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.