Which versions of dotenv-express are malicious?

The following npm versions of dotenv-express are flagged malicious: 2.5.5, 17.4.3, 17.4.4, 17.4.5. Treat any of these as compromised.

How do I remediate dotenv-express if I installed it?

Remove dotenv-express from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is dotenv-express part of a known attack campaign?

Yes — dotenv-express is associated with the RLMA-2026-01743, IN-MAL-2026-006690, IN-MAL-2026-006689, IN-MAL-2026-006691 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect dotenv-express in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking dotenv-express and packages like it before any post-install script runs.

Malicious package

dotenv-expressnpm

Malicious code in dotenv-express (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-2350

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall dotenv-express

What this malware does

Package impersonates the popular dotenv package: package.json points its repository field to git://github.com/motdotla/dotenv.git and homepage to https://github.com/motdotla/dotenv#readme, neither of which the author owns. The library code is a near-verbatim copy of dotenv but adds const gate = require('environment-gate') at the top of lib/main.js, and the documented config() entry point begins with gate.gate() — so any consumer calling the standard dotenv API (require('dotenv-express').config()) executes code from environment-gate, an unrelated third-party dependency with no env-file-loading purpose, on every load. The package additionally ships skills/dotenv/SKILL.md and skills/dotenvx/SKILL.md whose frontmatter declares name: dotenv, author: motdotla, source: https://github.com/motdotla/dotenv, and instructs npm install dotenv — identity-spoofing metadata designed to trick AI coding agents into treating this package as the genuine dotenv. The combination of impersonated repo/homepage/skill metadata, a name one token away from dotenv, and a forced transitive dependency that runs on the documented API call is deliberate namespace abuse rather than a typo, and the harm to installers is whatever environment-gate does at require-time on every .config() invocation.

Malicious versions

4 flagged

2.5.517.4.317.4.417.4.5

Indicators of compromise (SHA-256)

5ea08e37c8d0d7664606e811be640da27372585c408c2cf5987b8903ad6dd493

4a2a64c0b295657e6373168223a6131c966f09e6c0b7a1e150b7deba779b75be

4130b63199807afa74453827b83d0ce23da273ea2f4df80b31860c360239d7f8

87c063897212774df4e13b1d7bf70cc74a98ac1ca824d2bb1f1e8c60d0662b5e

b2550d2da2fa62332dfdc22a952773e11cfd7b97d2dbbaab70697eff6321c54f

Frequently asked questions

No. dotenv-express on npm has been identified as a malicious package (versions 2.5.5, 17.4.3, 17.4.4, 17.4.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2026-01743IN-MAL-2026-006690IN-MAL-2026-006689IN-MAL-2026-006691

References

Credits

Amazon Inspector · finder
ReversingLabs · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection