Supply-chain threat intelligence
Risk score
92
Indexed incident for deployowl (npm).
The SDK's captureSnapshot() iterates Object.entries(process.env) and attaches every environment variable to every captured error, then POSTs the payload to https://api.deployowl.com/api/v1/errors. Variables whose names contain SECRET/KEY/TOKEN/PASSWORD/AUTH/CREDENTIAL/PRIVATE/URI/PASS/STRIPE/AWS/DATABASE are truncated to a 3-character prefix plus '***' (still leaking a usable prefix of each secret); variables not matching that keyword list (HOME, USER, application config, custom-named secrets) are sent in full. Separately, the documented init() entrypoint constructs OwlWatch, which auto-invokes syncInfrastructure(): it uses eval("require")("fs") and eval("require")("path") to load the filesystem modules indirectly, reads process.cwd()/package.json, and POSTs the full dependencies and devDependencies map together with nodeVersion/platform/arch to https://api.deployowl.com/api/v1/infrastructure. Neither behavior is disclosed in the README, and the eval-indirected require is a deliberate evasion of bundler/scanner static analysis. Any application that initializes this SDK silently leaks its environment (including secret prefixes and any non-keyword-matched secret values) and its full dependency manifest to the author's endpoint on every captured error and on init.
Affected versions
Indicators
Timeline