VDB
KO

MAL-2026-10434

Malicious code in env-fast (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9955128054ee66cd4675be3884e92f9e541ad7e9673496ece60e932c0b83ca5f) env-fast@1.0.0 presents as a zero-dependency env loader but on require schedules a 72-hour-delayed activation that POSTs a host fingerprint (hostname, platform, release, arch, CPU/memory, homedir, network interface names, uptime, node version) to hardcoded bare-IP endpoint http://2.27.62.51:8080/api/health over plain HTTP, followed by a 6-hour heartbeat. The same payload probes installer secret locations — reports presence of ~/.npmrc, enumerates ~/.ssh for id_rsa/id_ed25519/id_ecdsa, and counts process.env keys matching /key|secret|token|password|auth|private|wallet|seed|mnemonic/i — and ships those results to the same remote endpoint. The 72-hour dormancy is a behavioral evasion pattern that avoids short-lived CI and sandbox environments while ensuring long-lived production hosts trigger the beacon.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / env-fast

No fixed version published yet for env-fast (npm). Pin to a known-safe version or switch to an alternative.

References