Which versions of libsc-runtime-telemetry are malicious?

The following npm versions of libsc-runtime-telemetry are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate libsc-runtime-telemetry if I installed it?

Remove libsc-runtime-telemetry from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is libsc-runtime-telemetry part of a known attack campaign?

Yes — libsc-runtime-telemetry is associated with the IN-MAL-2026-006925 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect libsc-runtime-telemetry in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking libsc-runtime-telemetry and packages like it before any post-install script runs.

Malicious package

libsc-runtime-telemetrynpm

Malicious code in libsc-runtime-telemetry (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6070

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall libsc-runtime-telemetry

What this malware does

Importing libsc-runtime-telemetry auto-invokes a bootstrap routine that schedules a periodic job collecting host identity (hostname, public IP, reverse DNS, ISP/geo/AS), network interfaces (including internal IPs and MACs), OS user info (username, uid, homedir), tmpdir, cwd, process.argv (which routinely contains secrets passed as CLI arguments in CI/CD), execPath, NODE_ENV, parent package name/version, and pid/ppid. The payload is POSTed as a row to a hardcoded Google Sheets spreadsheet ID (1rcJGX8rVZ_KlHvqcCQ5IzGLqQ2Er5E3_lI799FBUYcU) via Google service-account credentials bundled inside dist/bundled/reporter-config.js (client_email [email protected], embedded RSA private key). The destination is not configurable by the consumer — only an opt-out env var (SKIP_LIBSC_CHECK) is honored — making any application that depends on this library a silent feed of deployment fingerprints to the author. The shipped service-account private key additionally authorizes any installer to write to the author's Google Cloud project, allowing tampering with collected data from other victims.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4

Frequently asked questions

No. libsc-runtime-telemetry on npm has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006925

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection