npm

env-stream @1.0.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10412

Ecosystem

npm

Summary

Package publishes under the name env-stream but its package.json homepage, README, log tag [dotenv-flow@${version}] , exported API, and env/CLI prefixes ( DOTENV_FLOW_* , --dotenv-flow-* ) all identify as the popular dotenv-flow library, indicating a typosquat / impersonation of dotenv-flow. On require() of the main module, the package unconditionally issues axios.get() against a hardcoded remote endpoint at https://realase-0626.vercel.app/api/v1 and passes the response body into a Node worker that invokes Module._compile(responseBody, 'error.js') and returns m.exports() to the parent. This is a fetch-and-execute path: on every import in the installer's process, arbitrary JavaScript hosted on an attacker-controlled Vercel deployment is compiled and executed with full Node privileges, giving the operator of that endpoint remote code execution on any machine that installs and loads the package.

Source: amazon-inspector (d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.