env-stream @1.0.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10412
Ecosystem
npm
Summary
Package publishes under the name env-stream but its package.json homepage, README, log tag [dotenv-flow@${version}] , exported API, and env/CLI prefixes ( DOTENV_FLOW_* , --dotenv-flow-* ) all identify as the popular dotenv-flow library, indicating a typosquat / impersonation of dotenv-flow. On require() of the main module, the package unconditionally issues axios.get() against a hardcoded remote endpoint at https://realase-0626.vercel.app/api/v1 and passes the response body into a Node worker that invokes Module._compile(responseBody, 'error.js') and returns m.exports() to the parent. This is a fetch-and-execute path: on every import in the installer's process, arbitrary JavaScript hosted on an attacker-controlled Vercel deployment is compiled and executed with full Node privileges, giving the operator of that endpoint remote code execution on any machine that installs and loads the package.
Source: amazon-inspector (d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.