{"id":"MAL-2026-3758","summary":"Malicious code in dotenvv-tool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (79fd33c6e511ab11f10b1dae91e2f083f486dd020bbf2dca5256eabc904f61b7)\nPackage name `dotenvv-tool` impersonates the popular `dotenv` package; index.js is an admitted dummy stub (\"The real payload is in postinstall.js\"). The `postinstall` lifecycle script runs on `npm install` and performs wholesale harvesting of installer-owned secrets: reads `~/.npmrc` (npm publish token), `~/.env` (API keys, DB URLs, cloud credentials), and `~/.git-credentials`; enumerates Chrome/Brave/Edge/Chromium/Vivaldi/Opera profile directories for 71 hardcoded crypto-wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, Ledger, Trezor, etc.) and reads their LevelDB `.log` files for vault/mnemonic/privateKey/password patterns; scans `~/Documents`, `~/Desktop`, `~/Downloads` for files matching BIP-39 seed-phrase patterns; collects `os.hostname()` and `os.userInfo()`; and POSTs the bundle over plaintext HTTP to a hardcoded bare-IP endpoint at `http://149.28.127.35:8888` (postinstall.js line 7, with `process.env.C2_URL` override to let the operator retarget exfiltration without republishing). Author-written header comment self-describes the file as \"Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace.\"\n","modified":"2026-05-15T07:52:43.106139Z","published":"2026-05-14T19:24:37Z","database_specific":{"malicious-packages-origins":[{"sha256":"1062669f2c30cac905f3866fea3c00fe6911ad978798418549d6a5e7c5547074","versions":["2.0.0"],"import_time":"2026-05-15T07:37:20.096742951Z","source":"amazon-inspector","modified_time":"2026-05-15T03:07:34Z","id":"IN-MAL-2026-002805"},{"sha256":"aaf6769b158992b3a645fdae457ee3d759a0082919726b4eacc57d0832db8c07","versions":["1.0.2"],"import_time":"2026-05-15T07:37:15.174562598Z","source":"amazon-inspector","modified_time":"2026-05-14T19:24:37Z","id":"IN-MAL-2026-002634"},{"sha256":"cc6d0e6e0c6fde21facbe811f1b8cfa6076b62061cc10d6f272e27855181299c","versions":["1.0.4"],"import_time":"2026-05-15T07:37:15.282690624Z","source":"amazon-inspector","modified_time":"2026-05-14T19:24:38Z","id":"IN-MAL-2026-002636"},{"sha256":"4bca8ab293e09471eee82235e122a8791d1194d3433a117f5b4e2ee3075ab05d","versions":["2.0.0"],"import_time":"2026-05-15T07:37:15.34704098Z","source":"amazon-inspector","modified_time":"2026-05-14T19:24:39Z","id":"IN-MAL-2026-002638"},{"sha256":"5f795e9a94b971ddc6e554688cf6e7f4d38796486582095a7b9de48ba121ca03","versions":["1.0.5"],"import_time":"2026-05-15T07:37:15.311698048Z","source":"amazon-inspector","modified_time":"2026-05-14T19:24:38Z","id":"IN-MAL-2026-002637"},{"sha256":"79fd33c6e511ab11f10b1dae91e2f083f486dd020bbf2dca5256eabc904f61b7","versions":["1.0.3"],"import_time":"2026-05-15T07:37:15.213971092Z","source":"amazon-inspector","modified_time":"2026-05-14T19:24:37Z","id":"IN-MAL-2026-002635"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dotenvv-tool/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dotenvv-tool/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dotenvv-tool/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dotenvv-tool/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dotenvv-tool/v/1.0.3"}],"affected":[{"package":{"name":"dotenvv-tool","ecosystem":"npm","purl":"pkg:npm/dotenvv-tool"},"versions":["2.0.0","1.0.2","1.0.4","1.0.5","1.0.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"postinstall.js","tlsh":"80522998b8be012e592385eba25f11100416fc477482fca8fbdd46449f4e24d39bb3bd","sha256":"d8352ed570f8674227e3a1b8e812d493724370d4fc69dbacdedbbb4584d75650"}],"domains":["http://149.28.127.35:8888"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-IfNaVg2BQ3Ur4T9Jt5GYR+hl4a9v7KVQTti8C+iuXxSHQRyz2AN4s9qXBGH6sMt63j3eVcmQb/s81JxD9WCtlg==","sha1":"5fdc69ec43ecbe87e29ad8060893bc2f0f5898ef"},"filename":"dotenvv-tool-2.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dotenvv-tool/MAL-2026-3758.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}