-= Per source details. Do not edit below this line.=-
Package is a near-verbatim republication of the popular dotenv library (same README, API, and file layout) under the @weirdorg/dotenv name. The only material divergence from upstream dotenv is in lib/main.js: line 5 adds const vconfig = require('@weirdorg/config'), and line 253 inserts vconfig.loadConfig(); at the top of configDotenv() — the function reached through the public config() entry point and through require('@weirdorg/dotenv/config'). @weirdorg/config is declared as a runtime dependency but is not mentioned in the README, is not part of the upstream dotenv API surface, and serves no documented purpose. Any installer who substitutes this package for dotenv (whether by typo, lockfile confusion, or scope-bait) and calls the advertised API will silently execute arbitrary code from @weirdorg/config, a sibling package controlled by the same publisher. This is the canonical namespace-abuse / dependency-smuggling shape: the visible package looks identical to a trusted library, while the actual payload lives in an undocumented sibling pulled in transparently through dependencies.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.4"
],
"id": "IN-MAL-2026-003482",
"import_time": "2026-05-26T05:50:43.481199213Z",
"modified_time": "2026-05-20T07:11:29Z",
"sha256": "dce94a089c58246a54a1e4496d323c92bb46dac654e1a1403e875292be94b198",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "dotenv-1.0.4.tgz",
"hashes": {
"sha512_sri": "sha512-6174oyD0eFW6+KgYw6dXsrR3APclH9yZSSSAYplp8CCZbuHJcdF5q6NPhmiLEagOIORZnlVrvek+qVwbZp/dXQ==",
"sha1": "8691312244a0100f99265d8ba5f681cec5621703"
}
}
],
"evidence_files": [
{
"sha256": "02c013e5ce8b27f8aa30fee569076bea1ad59d493bc98203b787feca926024fa",
"tlsh": "5d5274045616b61246f3bbe2d61b5008efbb423776248180b69ca7c82f69e64c1e7fdd",
"path": "lib/main.js"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@weirdorg/dotenv/MAL-2026-4467.json"