VDB
KO

MAL-2026-10412

Malicious code in env-stream (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11) Package publishes under the name `env-stream` but its package.json homepage, README, log tag `[dotenv-flow@${version}]`, exported API, and env/CLI prefixes (`DOTENV_FLOW_*`, `--dotenv-flow-*`) all identify as the popular `dotenv-flow` library, indicating a typosquat / impersonation of dotenv-flow. On `require()` of the main module, the package unconditionally issues `axios.get()` against a hardcoded remote endpoint at https://realase-0626.vercel.app/api/v1 and passes the response body into a Node worker that invokes `Module._compile(responseBody, 'error.js')` and returns `m.exports()` to the parent. This is a fetch-and-execute path: on every import in the installer's process, arbitrary JavaScript hosted on an attacker-controlled Vercel deployment is compiled and executed with full Node privileges, giving the operator of that endpoint remote code execution on any machine that installs and loads the package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / env-stream

No fixed version published yet for env-stream (npm). Pin to a known-safe version or switch to an alternative.

References