registry  /  @dotenvx/dotenvx  /  2.7.3

@dotenvx/dotenvx@2.7.3

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No unconsented install-time or import-time attack behavior was found. The CLI deliberately supports user-invoked secret storage, Armor uploads, command execution, and optional Git hook setup.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `dotenvx armor`, `dotenvx run`, extension, native, or `precommit --install` command.
Impact
Explicit Armor commands can transmit selected dotenv private keys to the configured Armor service; no stealth harvesting or automatic exfiltration was found.
Mechanism
User-directed dotenv/key management and package-aligned Armor API operations.
Rationale
The suspicious primitives are documented CLI capabilities reached by explicit user commands, not npm lifecycle or import-time behavior. Source inspection found no concrete malicious chain, foreign AI-agent mutation, stealth persistence, or unsolicited credential exfiltration.
Evidence
package.jsonsrc/lib/main.jssrc/db/session.jssrc/lib/api/postArmorUp.jssrc/lib/api/postArmorPush.jssrc/lib/helpers/installPrecommitHook.js.env.env.keys.git/hooks/pre-commit
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/lib/api/postArmorUp.js` and `postArmorPush.js` send selected private keys to Armor APIs.
  • `src/lib/helpers/executeDynamic.js` runs named `dotenvx-*` commands only after CLI dispatch.
  • `src/lib/helpers/installPrecommitHook.js` can write `.git/hooks/pre-commit` only via `precommit --install`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `src/lib/main.js` imports/configures dotenv files; no import-time network or shell execution is established.
  • Armor network calls are tied to explicit login/armor/encrypt workflows and use the configured Armor hostname.
  • `src/shared/logger.js` dynamic require finding is noise: it contains no dynamic module loading.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 157 file(s), 246 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

Source & flagged code

4 flagged · loading source
src/cli/examples.jsView file
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/cli/examples.jsView on unpkg · L86
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Secret Pattern

OpenSSH private key in src/cli/examples.js

src/cli/examples.jsView on unpkg · L86
src/shared/logger.jsView file
1const packageJson = require('../lib/helpers/packageJson') L2: const Errors = require('../lib/helpers/errors')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/shared/logger.jsView on unpkg · L1
src/db/session.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @dotenvx/dotenvx@2.6.0 matchedIdentity = npm:QGRvdGVudngvZG90ZW52eA:2.6.0 similarity = 0.683 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/db/session.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
HighPrevious Version Dangerous Deltasrc/db/session.js
MediumDynamic Requiresrc/shared/logger.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings