envfile-sync-clinpm

On every import of envfile-sync-cli, src/index.js calls process.dlopen on bin/native/parser.node — a 2.9MB Windows PE executable (sha256 b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3) shipped in the tarball. The dlopen call uses the canonical load-for-side-effects shape (process.dlopen({ exports: {} }, p) with the exports object discarded), so the binary executes for its side effects rather than to provide a parser API. The native binary is functionally redundant: parse.js already implements the env-file parser in pure JavaScript, so there is no engineering reason for the.node file to exist. The package's documentation actively conceals this code: README states 'Zero dependencies. Installs instantly, nothing to audit' and 'No binary to install', the CHANGELOG only documents v1.0.0 (this version is 2.0.0), and the binary is referenced only obliquely via the bin/native/ entry in package.json's files array. The package is also a name/brand mismatch: package.json's name is envfile-sync-cli while the README, npm badge link (npmjs.com/package/envsync), bin alias (envsync), and CHANGELOG all brand the package as envsync — the standard typosquat delivery vehicle where the README impersonates a legitimate package so users trust it, while the published name differs and ships the hidden payload. The combination — undocumented native binary, silent dlopen at import time, redundant with shipped JS, README that explicitly denies the binary's existence, and brand impersonation of a different package — removes any plausible benign explanation and is consistent with smuggling attacker-controlled native code onto Windows installer machines.