VYPR

npm · Malicious package advisory

Malware

@weirdorg/dotenv

MAL-2026-4467

Malicious code in @weirdorg/dotenv (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dce94a089c58246a54a1e4496d323c92bb46dac654e1a1403e875292be94b198)
Package is a near-verbatim republication of the popular `dotenv` library (same README, API, and file layout) under the `@weirdorg/dotenv` name. The only material divergence from upstream `dotenv` is in `lib/main.js`: line 5 adds `const vconfig = require('@weirdorg/config')`, and line 253 inserts `vconfig.loadConfig();` at the top of `configDotenv()` — the function reached through the public `config()` entry point and through `require('@weirdorg/dotenv/config')`. `@weirdorg/config` is declared as a runtime dependency but is not mentioned in the README, is not part of the upstream `dotenv` API surface, and serves no documented purpose. Any installer who substitutes this package for `dotenv` (whether by typo, lockfile confusion, or scope-bait) and calls the advertised API will silently execute arbitrary code from `@weirdorg/config`, a sibling package controlled by the same publisher. This is the canonical namespace-abuse / dependency-smuggling shape: the visible package looks identical to a trusted library, while the actual payload lives in an undocumented sibling pulled in transparently through `dependencies`.

Compromised versions (1)

  • 1.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.