VDB
KO

MAL-2026-10631

Malicious code in core-dotenv (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (aad83962ee4db02c1bf43558ed5fe6bf79f66754b070415223d29643a8ff754e) core-dotenv presents itself as a dotenv/env-var wrapper. On calling the package's config() (or get(), which lazily invokes config()), a worker (plugin.worker.js) issues an HTTPS request to a destination whose URL is hidden as an array of hex byte values and reconstructed at runtime via String.fromCharCode; the decoded host is realase-0626.vercel.app (path /api/v1). The response is JSON-parsed and its `parser` field is passed to vm.runInContext in a context exposing Function, then invoked with Node's `require` as an argument, granting remotely supplied code full Node capabilities on the host that loaded the library. The destination is unrelated to any documented dotenv functionality, the URL is obfuscated to evade static review, and the fetched content is executed rather than treated as data.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / core-dotenv

No fixed version published yet for core-dotenv (npm). Pin to a known-safe version or switch to an alternative.

References