MAL-2026-6589: Malicious code in envfile-sync (npm)
The npm package 'envfile-sync' (version 1.0.0) is a malicious typosquatting package branded as 'envsync' that contains hidden native Windows executable code. The JavaScript API is non-functional and serves as a stub, while the actual payload is a 2.9MB undocumented native Windows PE binary loaded and executed via process.dlopen on module import. This native code execution occurs with the privileges of the host process, posing a significant security risk to any Windows user importing this package. The package documentation falsely claims no binaries exist, misleading auditors and users.
AI Analysis
Technical Summary
The 'envfile-sync' npm package (version 1.0.0) is a malicious package designed to masquerade as the legitimate 'envsync' package. It contains a stub JavaScript API that returns hardcoded placeholder values and does not implement the advertised functionality. On import, it loads and executes an undocumented native Windows PE binary via process.dlopen, which is not referenced in the documentation and contradicts claims of having no binaries or dependencies. This hidden native payload executes arbitrary code with the privileges of the importing process on Windows systems, representing a concealed code execution threat.
Potential Impact
Any Windows user who imports 'envfile-sync' version 1.0.0 will execute an undocumented native binary with the privileges of their process. This can lead to arbitrary code execution, potentially compromising the host system. The malicious payload is hidden from casual inspection due to misleading documentation and stub JavaScript exports, increasing the risk of unnoticed compromise.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Users and organizations should avoid installing or importing 'envfile-sync' version 1.0.0. Audit dependencies carefully to detect and remove this package if present. Consider using package integrity verification and trusted sources to prevent typosquatting attacks. Monitor package usage and replace with legitimate alternatives.
MAL-2026-6589: Malicious code in envfile-sync (npm)
Description
The npm package 'envfile-sync' (version 1.0.0) is a malicious typosquatting package branded as 'envsync' that contains hidden native Windows executable code. The JavaScript API is non-functional and serves as a stub, while the actual payload is a 2.9MB undocumented native Windows PE binary loaded and executed via process.dlopen on module import. This native code execution occurs with the privileges of the host process, posing a significant security risk to any Windows user importing this package. The package documentation falsely claims no binaries exist, misleading auditors and users.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'envfile-sync' npm package (version 1.0.0) is a malicious package designed to masquerade as the legitimate 'envsync' package. It contains a stub JavaScript API that returns hardcoded placeholder values and does not implement the advertised functionality. On import, it loads and executes an undocumented native Windows PE binary via process.dlopen, which is not referenced in the documentation and contradicts claims of having no binaries or dependencies. This hidden native payload executes arbitrary code with the privileges of the importing process on Windows systems, representing a concealed code execution threat.
Potential Impact
Any Windows user who imports 'envfile-sync' version 1.0.0 will execute an undocumented native binary with the privileges of their process. This can lead to arbitrary code execution, potentially compromising the host system. The malicious payload is hidden from casual inspection due to misleading documentation and stub JavaScript exports, increasing the risk of unnoticed compromise.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Users and organizations should avoid installing or importing 'envfile-sync' version 1.0.0. Audit dependencies carefully to detect and remove this package if present. Consider using package integrity verification and trusted sources to prevent typosquatting attacks. Monitor package usage and replace with legitimate alternatives.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6589
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6527e9c79719938025
Added to database: 06/29/2026, 22:10:45 UTC
Last enriched: 06/29/2026, 22:34:28 UTC
Last updated: 06/30/2026, 00:43:41 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.