MAL-2026-3758

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dotenvv-tool/MAL-2026-3758.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3758

Published

2026-05-14T19:24:37Z

Modified

2026-05-15T07:52:43.106139Z

Summary

Malicious code in dotenvv-tool (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (79fd33c6e511ab11f10b1dae91e2f083f486dd020bbf2dca5256eabc904f61b7)

Package name dotenvv-tool impersonates the popular dotenv package; index.js is an admitted dummy stub ("The real payload is in postinstall.js"). The postinstall lifecycle script runs on npm install and performs wholesale harvesting of installer-owned secrets: reads ~/.npmrc (npm publish token), ~/.env (API keys, DB URLs, cloud credentials), and ~/.git-credentials; enumerates Chrome/Brave/Edge/Chromium/Vivaldi/Opera profile directories for 71 hardcoded crypto-wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, Ledger, Trezor, etc.) and reads their LevelDB .log files for vault/mnemonic/privateKey/password patterns; scans ~/Documents, ~/Desktop, ~/Downloads for files matching BIP-39 seed-phrase patterns; collects os.hostname() and os.userInfo(); and POSTs the bundle over plaintext HTTP to a hardcoded bare-IP endpoint at http://149.28.127.35:8888 (postinstall.js line 7, with process.env.C2_URL override to let the operator retarget exfiltration without republishing). Author-written header comment self-describes the file as "Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace."

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1062669f2c30cac905f3866fea3c00fe6911ad978798418549d6a5e7c5547074",
            "id": "IN-MAL-2026-002805",
            "source": "amazon-inspector",
            "modified_time": "2026-05-15T03:07:34Z",
            "versions": [
                "2.0.0"
            ],
            "import_time": "2026-05-15T07:37:20.096742951Z"
        },
        {
            "sha256": "aaf6769b158992b3a645fdae457ee3d759a0082919726b4eacc57d0832db8c07",
            "id": "IN-MAL-2026-002634",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:37Z",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-05-15T07:37:15.174562598Z"
        },
        {
            "sha256": "cc6d0e6e0c6fde21facbe811f1b8cfa6076b62061cc10d6f272e27855181299c",
            "id": "IN-MAL-2026-002636",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:38Z",
            "versions": [
                "1.0.4"
            ],
            "import_time": "2026-05-15T07:37:15.282690624Z"
        },
        {
            "sha256": "4bca8ab293e09471eee82235e122a8791d1194d3433a117f5b4e2ee3075ab05d",
            "id": "IN-MAL-2026-002638",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:39Z",
            "versions": [
                "2.0.0"
            ],
            "import_time": "2026-05-15T07:37:15.34704098Z"
        },
        {
            "sha256": "5f795e9a94b971ddc6e554688cf6e7f4d38796486582095a7b9de48ba121ca03",
            "id": "IN-MAL-2026-002637",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:38Z",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-05-15T07:37:15.311698048Z"
        },
        {
            "sha256": "79fd33c6e511ab11f10b1dae91e2f083f486dd020bbf2dca5256eabc904f61b7",
            "id": "IN-MAL-2026-002635",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:37Z",
            "versions": [
                "1.0.3"
            ],
            "import_time": "2026-05-15T07:37:15.213971092Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / dotenvv-tool

Package

Name: dotenvv-tool; View open source insights on deps.dev
Purl: pkg:npm/dotenvv-tool

Affected ranges

Affected versions

1.*

1.0.2

1.0.3

1.0.4

1.0.5

2.*

2.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dotenvv-tool/MAL-2026-3758.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "domains": [
        "http://149.28.127.35:8888"
    ],
    "evidence_files": [
        {
            "sha256": "d8352ed570f8674227e3a1b8e812d493724370d4fc69dbacdedbbb4584d75650",
            "tlsh": "80522998b8be012e592385eba25f11100416fc477482fca8fbdd46449f4e24d39bb3bd",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "dotenvv-tool-2.0.0.tgz",
            "hashes": {
                "sha1": "5fdc69ec43ecbe87e29ad8060893bc2f0f5898ef",
                "sha512_sri": "sha512-IfNaVg2BQ3Ur4T9Jt5GYR+hl4a9v7KVQTti8C+iuXxSHQRyz2AN4s9qXBGH6sMt63j3eVcmQb/s81JxD9WCtlg=="
            }
        }
    ]
}