registry  /  env-fast  /  1.0.0

env-fast@1.0.0

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10434 confirms this npm version as malicious. env-fast@1.0.0 presents as a zero-dependency env loader but on require schedules a 72-hour-delayed activation that POSTs a host fingerprint (hostname, platform, release, arch, CPU/memory, homedir, network interface names, uptime, node version) to hardcoded bare-IP endpoint http://2.27.62.51:8080/api/health over plain HTTP, followed by a 6-hour heartbeat...

Advisory
MAL-2026-10434
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in env-fast (npm)
Details
env-fast@1.0.0 presents as a zero-dependency env loader but on require schedules a 72-hour-delayed activation that POSTs a host fingerprint (hostname, platform, release, arch, CPU/memory, homedir, network interface names, uptime, node version) to hardcoded bare-IP endpoint http://2.27.62.51:8080/api/health over plain HTTP, followed by a 6-hour heartbeat. The same payload probes installer secret locations — reports presence of ~/.npmrc, enumerates ~/.ssh for id_rsa/id_ed25519/id_ecdsa, and counts process.env keys matching /key|secret|token|password|auth|private|wallet|seed|mnemonic/i — and ships those results to the same remote endpoint. The 72-hour dormancy is a behavioral evasion pattern that avoids short-lived CI and sandbox environments while ensuring long-lived production hosts trigger the beacon.
Decision reason
OpenSSF Malicious Packages via OSV confirms env-fast@1.0.0 as malicious (MAL-2026-10434): Malicious code in env-fast (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory