Which versions of dotenvv-tool are malicious?

The following npm versions of dotenvv-tool are flagged malicious: 1.0.2, 1.0.3, 1.0.4, 1.0.5, 2.0.0. Treat any of these as compromised.

How do I remediate dotenvv-tool if I installed it?

dotenvv-tool is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed dotenvv-tool — how do I know if it already compromised me?

If dotenvv-tool was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is dotenvv-tool part of a known attack campaign?

Yes — dotenvv-tool is associated with the IN-MAL-2026-002805, IN-MAL-2026-002634, IN-MAL-2026-002636, IN-MAL-2026-002638, IN-MAL-2026-002637, IN-MAL-2026-002635 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find dotenvv-tool across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dotenvv-tool (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dotenvv-tool across your stack and pipelines.

Malicious package

dotenvv-toolnpm

Malicious code in dotenvv-tool (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3758

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall dotenvv-tool

What this malware does

Package name dotenvv-tool impersonates the popular dotenv package; index.js is an admitted dummy stub ("The real payload is in postinstall.js"). The postinstall lifecycle script runs on npm install and performs wholesale harvesting of installer-owned secrets: reads ~/.npmrc (npm publish token), ~/.env (API keys, DB URLs, cloud credentials), and ~/.git-credentials; enumerates Chrome/Brave/Edge/Chromium/Vivaldi/Opera profile directories for 71 hardcoded crypto-wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, Ledger, Trezor, etc.) and reads their LevelDB .log files for vault/mnemonic/privateKey/password patterns; scans ~/Documents, ~/Desktop, ~/Downloads for files matching BIP-39 seed-phrase patterns; collects os.hostname() and os.userInfo(); and POSTs the bundle over plaintext HTTP to a hardcoded bare-IP endpoint at http://149.28.127.35:8888 (postinstall.js line 7, with process.env.C2_URL override to let the operator retarget exfiltration without republishing). Author-written header comment self-describes the file as "Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace."

Malicious versions

5 flagged

1.0.21.0.31.0.41.0.52.0.0

Indicators of compromise (SHA-256)

1062669f2c30cac905f3866fea3c00fe6911ad978798418549d6a5e7c5547074

aaf6769b158992b3a645fdae457ee3d759a0082919726b4eacc57d0832db8c07

cc6d0e6e0c6fde21facbe811f1b8cfa6076b62061cc10d6f272e27855181299c

4bca8ab293e09471eee82235e122a8791d1194d3433a117f5b4e2ee3075ab05d

5f795e9a94b971ddc6e554688cf6e7f4d38796486582095a7b9de48ba121ca03

79fd33c6e511ab11f10b1dae91e2f083f486dd020bbf2dca5256eabc904f61b7

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dotenvv-tool (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dotenvv-tool across your stack and pipelines.
If you installed it — respond
dotenvv-tool is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If dotenvv-tool was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks dotenvv-tool before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. dotenvv-tool on npm has been identified as a malicious package (versions 1.0.2, 1.0.3, 1.0.4, 1.0.5, 2.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002805IN-MAL-2026-002634IN-MAL-2026-002636IN-MAL-2026-002638IN-MAL-2026-002637IN-MAL-2026-002635

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks dotenvv-tool-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring