MAL-2026-10412

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/env-stream/MAL-2026-10412.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10412
Published
2026-07-13T06:56:15Z
Modified
2026-07-13T07:47:02.066732193Z
Summary
Malicious code in env-stream (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11)

Package publishes under the name env-stream but its package.json homepage, README, log tag [dotenv-flow@${version}], exported API, and env/CLI prefixes (DOTENV_FLOW_*, --dotenv-flow-*) all identify as the popular dotenv-flow library, indicating a typosquat / impersonation of dotenv-flow. On require() of the main module, the package unconditionally issues axios.get() against a hardcoded remote endpoint at https://realase-0626.vercel.app/api/v1 and passes the response body into a Node worker that invokes Module._compile(responseBody, 'error.js') and returns m.exports() to the parent. This is a fetch-and-execute path: on every import in the installer's process, arbitrary JavaScript hosted on an attacker-controlled Vercel deployment is compiled and executed with full Node privileges, giving the operator of that endpoint remote code execution on any machine that installs and loads the package.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "677d8eb3f7a80ffdc5f500d41f25b1f09415199e55e3194e96fe55b3c895111c",
            "id": "IN-MAL-2026-009844",
            "import_time": "2026-07-13T07:40:12.640223286Z",
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-07-13T06:56:15Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11",
            "id": "IN-MAL-2026-009845",
            "import_time": "2026-07-13T07:40:12.777930129Z",
            "modified_time": "2026-07-13T06:56:22Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / env-stream

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "env-stream-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-Bn1u/euVoeUgI+26Ul6qoyAbp1OGp0Y6zsTbY/hAMWw2U52HWNtaGTAsPlHSSBBMSepB+YgsijB3JhWJAqmkIw==",
                "sha1": "4afa108bbe419f7429483ba0310b43f0230c70ba"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "ab52720868aa6b2167f372d56acf001db2b5d237321965817acd67d03f99838f1f3d89",
            "sha256": "08841447de9d520d0f2c3a43b199a89b12244a3a32c77a19a2d2dcfd5ad11d1d",
            "path": "lib/dotenv-flow.js"
        },
        {
            "tlsh": "da31c2a2c8559db32ec1b891796d01816066da8b4d50bc0e33a6536c4f8d83f13ffb1d",
            "sha256": "c34970e5526ab0fe5450fa0c57fb4c4b213a151d293547186291aedd6e28cf5d",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/env-stream/MAL-2026-10412.json"