registry  /  @mikegarde/dotenv-cli  /  1.1.2

@mikegarde/dotenv-cli@1.1.2

Read and update dotenv files from the cli

AI Security Review

scanned 3h ago · by lpm-firewall-ai

`postinstall.js` automatically retrieves and executes a native CLI payload at install time. The payload is package-aligned but its integrity is not verified before installation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation with lifecycle scripts enabled
Impact
A compromised release asset or redirect target could supply arbitrary native code that runs when the user invokes `dotenv`.
Mechanism
postinstall download, gzip extraction, and executable permission grant
Rationale
The source does not show concrete malicious behavior, but automatic installation of an unverified remotely fetched native executable is a material supply-chain risk. Flag as a warning rather than block because the endpoint and artifact naming are package-aligned and no malicious chain is confirmed.
Evidence
package.jsonpostinstall.jsbin/dotenvvendor/dotenv$TMPDIR/dotenv-cli-<timestamp>.gz
Network endpoints1
github.com/MikeGarde/dotenv-cli/releases/download/1.1.2/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `postinstall.js` runs automatically via `package.json` postinstall.
  • Install script downloads a platform-specific executable from GitHub Releases.
  • Downloaded gzip is decompressed into `vendor/dotenv` and marked executable.
  • No checksum, signature, or pinned artifact digest verifies the downloaded binary.
  • Redirect handling accepts up to five redirects without restricting the destination host.
Evidence against
  • No source reads or transmits `.env` contents, credentials, or other local files.
  • No hidden shell, eval, dynamic code loading, persistence, or destructive actions found.
  • `bin/dotenv` only launches the installed `vendor/dotenv` with user-provided arguments.
  • The remote artifact name and release URL are package-aligned to `MikeGarde/dotenv-cli` and its declared version.
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 1 file(s), 3.25 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
160patternName = private_key_rsa severity = critical line = 160 matchedText = -----BEG...f...
Critical
Secret Pattern

RSA private key in README.md

README.mdView on unpkg · L160
163patternName = private_key_rsa severity = critical line = 163 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in README.md

README.mdView on unpkg · L163

Findings

2 Critical1 High2 Medium4 Low
CriticalSecret PatternREADME.md
CriticalSecret PatternREADME.md
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License