MAL-2026-2350

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (87c063897212774df4e13b1d7bf70cc74a98ac1ca824d2bb1f1e8c60d0662b5e) Package impersonates the popular `dotenv` package: `package.json` points its repository field to `git://github.com/motdotla/dotenv.git` and homepage to `https://github.com/motdotla/dotenv#readme`, neither of which the author owns. The library code is a near-verbatim copy of dotenv but adds `const gate = require('environment-gate')` at the top of `lib/main.js`, and the documented `config()` entry point begins with `gate.gate()` — so any consumer calling the standard dotenv API (`require('dotenv-express').config()`) executes code from `environment-gate`, an unrelated third-party dependency with no env-file-loading purpose, on every load. The package additionally ships `skills/dotenv/SKILL.md` and `skills/dotenvx/SKILL.md` whose frontmatter declares `name: dotenv`, `author: motdotla`, `source: https://github.com/motdotla/dotenv`, and instructs `npm install dotenv` — identity-spoofing metadata designed to trick AI coding agents into treating this package as the genuine dotenv. The combination of impersonated repo/homepage/skill metadata, a name one token away from `dotenv`, and a forced transitive dependency that runs on the documented API call is deliberate namespace abuse rather than a typo, and the harm to installers is whatever `environment-gate` does at require-time on every `.config()` invocation.