@thebros/create-benjamin @1.0.12
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4455
Ecosystem
npm
Summary
The package tarball ships a .env file containing a live-looking OpenAI API key ( OPENAI_API_KEY=sk-proj-... ). The CLI entry point bin/index.js calls import "dotenv/config" at line 3, which auto-loads that .env from the package directory at startup. At line 13 the key is read via process.env.OPENAI_API_KEY . Two installer-affecting consequences result: (1) the author's third-party API credential is redistributed to every installer of the package, who can extract it from the tarball and abuse it against OpenAI under the author's account; (2) when a user runs create-benjamin without setting their own OPENAI_API_KEY , their project-description prompt is silently sent to OpenAI billed against the author's account, with no disclosure that a hardcoded key is in use. The key should be revoked, removed from the published tarball, and the CLI should require the user to provide their own key.
Source: amazon-inspector (53fb816939bb505cdabc374418983428298b09a29e5789033943301642b8b156)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.