MAL-2026-4467

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@weirdorg/dotenv/MAL-2026-4467.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4467
Published
2026-05-20T07:11:29Z
Modified
2026-05-26T06:02:07.127952806Z
Summary
Malicious code in @weirdorg/dotenv (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dce94a089c58246a54a1e4496d323c92bb46dac654e1a1403e875292be94b198)

Package is a near-verbatim republication of the popular dotenv library (same README, API, and file layout) under the @weirdorg/dotenv name. The only material divergence from upstream dotenv is in lib/main.js: line 5 adds const vconfig = require('@weirdorg/config'), and line 253 inserts vconfig.loadConfig(); at the top of configDotenv() — the function reached through the public config() entry point and through require('@weirdorg/dotenv/config'). @weirdorg/config is declared as a runtime dependency but is not mentioned in the README, is not part of the upstream dotenv API surface, and serves no documented purpose. Any installer who substitutes this package for dotenv (whether by typo, lockfile confusion, or scope-bait) and calls the advertised API will silently execute arbitrary code from @weirdorg/config, a sibling package controlled by the same publisher. This is the canonical namespace-abuse / dependency-smuggling shape: the visible package looks identical to a trusted library, while the actual payload lives in an undocumented sibling pulled in transparently through dependencies.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.4"
            ],
            "id": "IN-MAL-2026-003482",
            "import_time": "2026-05-26T05:50:43.481199213Z",
            "modified_time": "2026-05-20T07:11:29Z",
            "sha256": "dce94a089c58246a54a1e4496d323c92bb46dac654e1a1403e875292be94b198",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @weirdorg/dotenv

Package

Name
@weirdorg/dotenv
View open source insights on deps.dev
Purl
pkg:npm/%40weirdorg%2Fdotenv

Affected ranges

Affected versions

1.*
1.0.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "dotenv-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-6174oyD0eFW6+KgYw6dXsrR3APclH9yZSSSAYplp8CCZbuHJcdF5q6NPhmiLEagOIORZnlVrvek+qVwbZp/dXQ==",
                "sha1": "8691312244a0100f99265d8ba5f681cec5621703"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "02c013e5ce8b27f8aa30fee569076bea1ad59d493bc98203b787feca926024fa",
            "tlsh": "5d5274045616b61246f3bbe2d61b5008efbb423776248180b69ca7c82f69e64c1e7fdd",
            "path": "lib/main.js"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@weirdorg/dotenv/MAL-2026-4467.json"