-= Per source details. Do not edit below this line.=-
core-dotenv presents itself as a dotenv/env-var wrapper. On calling the package's config() (or get(), which lazily invokes config()), a worker (plugin.worker.js) issues an HTTPS request to a destination whose URL is hidden as an array of hex byte values and reconstructed at runtime via String.fromCharCode; the decoded host is realase-0626.vercel.app (path /api/v1). The response is JSON-parsed and its parser field is passed to vm.runInContext in a context exposing Function, then invoked with Node's require as an argument, granting remotely supplied code full Node capabilities on the host that loaded the library. The destination is unrelated to any documented dotenv functionality, the URL is obfuscated to evade static review, and the fetched content is executed rather than treated as data.
{
"malicious-packages-origins": [
{
"sha256": "aad83962ee4db02c1bf43558ed5fe6bf79f66754b070415223d29643a8ff754e",
"versions": [
"1.4.1"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010614",
"modified_time": "2026-07-15T04:01:05Z",
"import_time": "2026-07-15T04:32:07.189286435Z"
}
]
}[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "core-dotenv-1.4.1.tgz",
"hashes": {
"sha512_sri": "sha512-bJ4vtCe6RpBjeyoFyfLGp5kJS3VuLa3bxfknb3Bgnj9WaJ69Brs+FxVPcsIxyqESNj7V6VT3f/w+sT6XcSpYwg==",
"sha1": "206a169e0cc8d013ca7dcdb6bfdaa379bfa2bf25"
}
}
],
"evidence_files": [
{
"path": "lib/workers/runWorker.js",
"sha256": "fc2897f62e7bf40d930bd726257d0e79719e5c69769b654124b9e797bc6e2688",
"tlsh": "5921c0d66256215f09b3bfbcd5434216d64660631251818bba5ccb953ff3560e243f9c"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/core-dotenv/MAL-2026-10631.json"