dotenv-express @17.4.6
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 8:16 PM UTC
OSV ID
MAL-2026-2350
Ecosystem
npm
Summary
Package impersonates the popular dotenv package: package.json points its repository field to git://github.com/motdotla/dotenv.git and homepage to https://github.com/motdotla/dotenv#readme , neither of which the author owns. The library code is a near-verbatim copy of dotenv but adds const gate = require('environment-gate') at the top of lib/main.js , and the documented config() entry point begins with gate.gate() — so any consumer calling the standard dotenv API ( require('dotenv-express').config() ) executes code from environment-gate , an unrelated third-party dependency with no env-file-loading purpose, on every load. The package additionally ships skills/dotenv/SKILL.md and skills/dotenvx/SKILL.md whose frontmatter declares name: dotenv , author: motdotla , source: https://github.com/motdotla/dotenv , and instructs npm install dotenv — identity-spoofing metadata designed to trick AI coding agents into treating this package as the genuine dotenv. The combination of impersonated repo/homepage/skill metadata, a name one token away from dotenv , and a forced transitive dependency that runs on the documented API call is deliberate namespace abuse rather than a typo, and the harm to installers is whatever environment-gate does at require-time on every .config() invocation.
Source: amazon-inspector (87c063897212774df4e13b1d7bf70cc74a98ac1ca824d2bb1f1e8c60d0662b5e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.