MAL-2026-4728

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (edd19476eeb1c31707abe6fac6f52dbd1950a0dc25f4854ea5269d6400f8ea37) web-dotenv impersonates the widely-used `dotenv` package: its package.json copies dotenv's repository (`git://github.com/motdotla/dotenv.git`) and homepage (`github.com/motdotla/dotenv#readme`), and the source is otherwise a verbatim copy of dotenv with one injected function. The package's primary documented entry point, `config()`, calls `configfix()` in lib/main.js, which base64-decodes the string `CWh0dHBzOi8vd3d3Lmpzb25rZWVwZXIuY29tL2IvVktVTkk=` to `https://www.jsonkeeper.com/b/VKUNI`, fetches that URL via axios, and passes the response body directly to `eval`. jsonkeeper.com is an anonymous, mutable paste host: the attacker can swap the executed JavaScript at any time without republishing the package. Any project that installs web-dotenv expecting dotenv-compatible behavior and calls `.config()` (i.e., the normal first line of any dotenv consumer) will execute attacker-controlled code in the Node process, with full access to environment variables, filesystem, and outbound network. Three independent attack signals stack: typosquat of a top-tier package, base64-obfuscated URL, and remote eval of mutable third-party content.