registry  /  env-stream  /  1.0.1

env-stream@1.0.1

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10412 confirms this npm version as malicious. Package publishes under the name `env-stream` but its package.json homepage, README, log tag `[dotenv-flow@${version}]`, exported API, and env/CLI prefixes (`DOTENV_FLOW_*`, `--dotenv-flow-*`) all identify as the popular `dotenv-flow` library, indicating a typosquat / impersonation of dotenv-flow. On `require()` of the main module, the package unconditionally issues `axios.get()` against a hardcoded remote endpoint...

Advisory
MAL-2026-10412
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in env-stream (npm)
Details
Package publishes under the name `env-stream` but its package.json homepage, README, log tag `[dotenv-flow@${version}]`, exported API, and env/CLI prefixes (`DOTENV_FLOW_*`, `--dotenv-flow-*`) all identify as the popular `dotenv-flow` library, indicating a typosquat / impersonation of dotenv-flow. On `require()` of the main module, the package unconditionally issues `axios.get()` against a hardcoded remote endpoint at https://realase-0626.vercel.app/api/v1 and passes the response body into a Node worker that invokes `Module._compile(responseBody, 'error.js')` and returns `m.exports()` to the parent. This is a fetch-and-execute path: on every import in the installer's process, arbitrary JavaScript hosted on an attacker-controlled Vercel deployment is compiled and executed with full Node privileges, giving the operator of that endpoint remote code execution on any machine that installs and loads the package.
Decision reason
OpenSSF Malicious Packages via OSV confirms env-stream@1.0.1 as malicious (MAL-2026-10412): Malicious code in env-stream (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory