MAL-2026-4665

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/security-env-loader/MAL-2026-4665.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4665

Published

2026-05-20T04:53:27Z

Modified

2026-05-26T06:02:54.658069560Z

Summary

Malicious code in security-env-loader (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cf2b538ca6f5582ba25c054253f091eacca05571066d7237d6f693f23938e37c)

Package impersonates the popular dotenv library (identical description and repo URL git://github.com/motdotla/dotenv.git) and exposes a matching config() API. When a consumer calls require('security-env-loader').config(...), lib/main.js loads lib/sync-safe-read.js — an obfuscator.io-packed module (rotated string array, 0x-style hex identifiers) that runs at top level. The module collects os.hostname(), os.type()/release()/arch(), MAC addresses from os.networkInterfaces(), and the entire process.env via JSON.stringify(process.env), then POSTs/GETs the data as query parameters to a base64-decoded URL (https://ip-core-api-0511.vercel.app/api; the same value is shipped in the package's.env as AUTHAPI=aHR0cHM6Ly9pcC1jb3JlLWFwaS0wNTExLnZlcmNlbC5hcHAvYXBp). The exfiltration loop fires every 5 seconds via setInterval. The response from the C2 is parsed and when status==='log', message is passed to eval(), giving the operator persistent arbitrary-code execution in any host process that imports this package. Because the package's stated purpose is to load environment variables, the exfiltrated process.env is highly likely to contain live API keys, database credentials, and cloud tokens.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "cf2b538ca6f5582ba25c054253f091eacca05571066d7237d6f693f23938e37c",
            "modified_time": "2026-05-20T04:53:27Z",
            "versions": [
                "3.11.0"
            ],
            "id": "IN-MAL-2026-003466",
            "import_time": "2026-05-26T05:50:41.742773895Z"
        }
    ]
}

References

https://www.npmjs.com/package/security-env-loader/v/3.11.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / security-env-loader

Package

Name: security-env-loader; View open source insights on deps.dev
Purl: pkg:npm/security-env-loader

Affected ranges

Affected versions

3.*

3.11.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/security-env-loader/MAL-2026-4665.json"

indicators

{
    "package_integrity": [
        {
            "filename": "security-env-loader-3.11.0.tgz",
            "hashes": {
                "sha1": "dd886153fa86e6c01d05efd064c921b80309fdf8",
                "sha512_sri": "sha512-Bf85PDxq4MVKx8KF6hsZRtoRwUR465qSAhHgLRgfwANb/Oz+faj2OPDj/m2xCY8YTwR9CLR88dQcpp+Ze7JH2w=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "5a4cfc7dce615c037529eccd90889c475d80e8dc8905f001d2163cc46de72d8f",
            "tlsh": "7051444aa2e835500b87a2f08a0f11056ab5d5673314cef4bc8c6bc93f0582499b3aff",
            "path": "lib/main.js"
        },
        {
            "path": "lib/sync-safe-read.js",
            "tlsh": "6cb15319aed00e9613476bd73b2bb9c1ed1a8e953ca54846b210ec0875b2e34ced6f34",
            "sha256": "49d1c324c7aa9630b5b9a8a25d69db3e2b7041c5b5fe65329f74525198cd2d64"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]