npm · Malicious package advisory
Malwareenv-stream
MAL-2026-10412
Malicious code in env-stream (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11)
Package publishes under the name `env-stream` but its package.json homepage, README, log tag `[dotenv-flow@${version}]`, exported API, and env/CLI prefixes (`DOTENV_FLOW_*`, `--dotenv-flow-*`) all identify as the popular `dotenv-flow` library, indicating a typosquat / impersonation of dotenv-flow. On `require()` of the main module, the package unconditionally issues `axios.get()` against a hardcoded remote endpoint at https://realase-0626.vercel.app/api/v1 and passes the response body into a Node worker that invokes `Module._compile(responseBody, 'error.js')` and returns `m.exports()` to the parent. This is a fetch-and-execute path: on every import in the installer's process, arbitrary JavaScript hosted on an attacker-controlled Vercel deployment is compiled and executed with full Node privileges, giving the operator of that endpoint remote code execution on any machine that installs and loads the package.
Compromised versions (2)
- 1.0.1
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.