core-dotenv @1.4.1
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC
OSV ID
MAL-2026-10631
Ecosystem
npm
Summary
core-dotenv presents itself as a dotenv/env-var wrapper. On calling the package's config() (or get(), which lazily invokes config()), a worker (plugin.worker.js) issues an HTTPS request to a destination whose URL is hidden as an array of hex byte values and reconstructed at runtime via String.fromCharCode; the decoded host is realase-0626.vercel.app (path /api/v1). The response is JSON-parsed and its parser field is passed to vm.runInContext in a context exposing Function, then invoked with Node's require as an argument, granting remotely supplied code full Node capabilities on the host that loaded the library. The destination is unrelated to any documented dotenv functionality, the URL is obfuscated to evade static review, and the fetched content is executed rather than treated as data.
Source: amazon-inspector (aad83962ee4db02c1bf43558ed5fe6bf79f66754b070415223d29643a8ff754e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.