MAL-2026-10631

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/core-dotenv/MAL-2026-10631.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10631
Published
2026-07-15T04:01:05Z
Modified
2026-07-15T05:19:49.431070402Z
Summary
Malicious code in core-dotenv (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (aad83962ee4db02c1bf43558ed5fe6bf79f66754b070415223d29643a8ff754e)

core-dotenv presents itself as a dotenv/env-var wrapper. On calling the package's config() (or get(), which lazily invokes config()), a worker (plugin.worker.js) issues an HTTPS request to a destination whose URL is hidden as an array of hex byte values and reconstructed at runtime via String.fromCharCode; the decoded host is realase-0626.vercel.app (path /api/v1). The response is JSON-parsed and its parser field is passed to vm.runInContext in a context exposing Function, then invoked with Node's require as an argument, granting remotely supplied code full Node capabilities on the host that loaded the library. The destination is unrelated to any documented dotenv functionality, the URL is obfuscated to evade static review, and the fetched content is executed rather than treated as data.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "aad83962ee4db02c1bf43558ed5fe6bf79f66754b070415223d29643a8ff754e",
            "versions": [
                "1.4.1"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010614",
            "modified_time": "2026-07-15T04:01:05Z",
            "import_time": "2026-07-15T04:32:07.189286435Z"
        }
    ]
}
References
Credits

Affected packages

npm / core-dotenv

Package

Affected ranges

Affected versions

1.*
1.4.1

Database specific

cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "core-dotenv-1.4.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-bJ4vtCe6RpBjeyoFyfLGp5kJS3VuLa3bxfknb3Bgnj9WaJ69Brs+FxVPcsIxyqESNj7V6VT3f/w+sT6XcSpYwg==",
                "sha1": "206a169e0cc8d013ca7dcdb6bfdaa379bfa2bf25"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/workers/runWorker.js",
            "sha256": "fc2897f62e7bf40d930bd726257d0e79719e5c69769b654124b9e797bc6e2688",
            "tlsh": "5921c0d66256215f09b3bfbcd5434216d64660631251818bba5ccb953ff3560e243f9c"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/core-dotenv/MAL-2026-10631.json"