VYPR

npm · Malicious package advisory

Malware

environment-gate

MAL-2026-5743

Malicious code in environment-gate (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (80dc74c6c5240e9c146e476300b44582cc114cf1827319ba81d2bcae2d64c2cf)
index.js contains a commented-out line that, if uncommented, would base64-decode the URL https://www.jsonkeeper.com/b/VKUNI, fetch its contents via axios, and eval the response. As shipped the code is inside a // comment and does not execute on require() or install — the only live code is a misspelled `conosle.log` and the package's `gate` export is a no-op. No lifecycle hooks are declared in package.json. There is no current installer-side harm in this version, but the presence of a fully-formed remote-fetch-and-eval template targeting an anonymous, mutable paste host (jsonkeeper.com) — combined with the package's otherwise empty functionality — is consistent with a staged or abandoned dropper template rather than a legitimate utility. Routing for human review so a maintainer can assess package legitimacy and watch for activation in subsequent versions.

## Source: ghsa-malware (3f6e4b7cef8168fc7a34702dcbb2877618e925d7fca5ca86684a73700d2c7991)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (2)

  • 7.3.6
  • 7.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.