npm

core-dotenv @1.4.1

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10631

Ecosystem

npm

Summary

core-dotenv presents itself as a dotenv/env-var wrapper. On calling the package's config() (or get(), which lazily invokes config()), a worker (plugin.worker.js) issues an HTTPS request to a destination whose URL is hidden as an array of hex byte values and reconstructed at runtime via String.fromCharCode; the decoded host is realase-0626.vercel.app (path /api/v1). The response is JSON-parsed and its parser field is passed to vm.runInContext in a context exposing Function, then invoked with Node's require as an argument, granting remotely supplied code full Node capabilities on the host that loaded the library. The destination is unrelated to any documented dotenv functionality, the URL is obfuscated to evade static review, and the fetched content is executed rather than treated as data.

Source: amazon-inspector (aad83962ee4db02c1bf43558ed5fe6bf79f66754b070415223d29643a8ff754e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.