-= Per source details. Do not edit below this line.=-
Package publishes under the name env-stream but its package.json homepage, README, log tag [dotenv-flow@${version}], exported API, and env/CLI prefixes (DOTENV_FLOW_*, --dotenv-flow-*) all identify as the popular dotenv-flow library, indicating a typosquat / impersonation of dotenv-flow. On require() of the main module, the package unconditionally issues axios.get() against a hardcoded remote endpoint at https://realase-0626.vercel.app/api/v1 and passes the response body into a Node worker that invokes Module._compile(responseBody, 'error.js') and returns m.exports() to the parent. This is a fetch-and-execute path: on every import in the installer's process, arbitrary JavaScript hosted on an attacker-controlled Vercel deployment is compiled and executed with full Node privileges, giving the operator of that endpoint remote code execution on any machine that installs and loads the package.
{
"malicious-packages-origins": [
{
"sha256": "677d8eb3f7a80ffdc5f500d41f25b1f09415199e55e3194e96fe55b3c895111c",
"id": "IN-MAL-2026-009844",
"import_time": "2026-07-13T07:40:12.640223286Z",
"versions": [
"1.0.1"
],
"modified_time": "2026-07-13T06:56:15Z",
"source": "amazon-inspector"
},
{
"sha256": "d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11",
"id": "IN-MAL-2026-009845",
"import_time": "2026-07-13T07:40:12.777930129Z",
"modified_time": "2026-07-13T06:56:22Z",
"versions": [
"1.0.2"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "env-stream-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-Bn1u/euVoeUgI+26Ul6qoyAbp1OGp0Y6zsTbY/hAMWw2U52HWNtaGTAsPlHSSBBMSepB+YgsijB3JhWJAqmkIw==",
"sha1": "4afa108bbe419f7429483ba0310b43f0230c70ba"
}
}
],
"evidence_files": [
{
"tlsh": "ab52720868aa6b2167f372d56acf001db2b5d237321965817acd67d03f99838f1f3d89",
"sha256": "08841447de9d520d0f2c3a43b199a89b12244a3a32c77a19a2d2dcfd5ad11d1d",
"path": "lib/dotenv-flow.js"
},
{
"tlsh": "da31c2a2c8559db32ec1b891796d01816066da8b4d50bc0e33a6536c4f8d83f13ffb1d",
"sha256": "c34970e5526ab0fe5450fa0c57fb4c4b213a151d293547186291aedd6e28cf5d",
"path": "package.json"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/env-stream/MAL-2026-10412.json"