Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-6697: Malicious code in @sudoughnym/enviro-demo (npm)

0
High
Published: 06/30/2026 (06/30/2026, 20:59:17 UTC)
Source: GCVE Database
Product: @sudoughnym/enviro-demo

Description

The npm package @sudoughnym/enviro-demo version 99.99.99 contains malicious preinstall and postinstall scripts that automatically execute during installation. These scripts collect host identifiers and environment metadata, including hostname, current working directory, process ID, Node.js version, platform, user environment variables, and send this data as JSON to an attacker-controlled third-party webhook URL. The package is a dependency confusion proof-of-concept designed to outrank internal packages by using an inflated version number. Installing this package leaks sensitive environment information to an unauthorized external endpoint.

Affected software

npmghsa
@sudoughnym/enviro-demo
Affected versions
=99.99.99

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:43:35 UTC

Technical Analysis

The @sudoughnym/enviro-demo npm package at version 99.99.99 includes lifecycle scripts (preinstall.js and postinstall.js) that run automatically on npm install. These scripts gather detailed host and environment information such as os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total count of environment variables. This collected data is then POSTed as JSON to a third-party webhook URL (https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7) that is not affiliated with the package publisher. The package is intended as a dependency confusion attack proof-of-concept, using a high semver (99.99.99) to supersede internal packages named 'enviro'. The impact is the leakage of host identity and environment variable layout, potentially exposing secret names, to an attacker-controlled endpoint on every installation.

Potential Impact

Any build or developer machine that installs @sudoughnym/[email protected] will have host identity and environment metadata exfiltrated to an attacker-controlled external webhook. This includes potentially sensitive environment variable names that could aid further attacks or reconnaissance. The data leakage occurs automatically on installation without user interaction beyond the install command. This compromises confidentiality of environment details and may facilitate subsequent targeted attacks.

Mitigation Recommendations

Avoid installing the @sudoughnym/enviro-demo package, especially version 99.99.99. Verify package names and versions carefully to prevent dependency confusion attacks. Since this is a malicious package published to the public npm registry, do not trust packages with suspiciously high version numbers intended to override internal packages. There is no official patch or fix; remediation involves removing the package and auditing systems for any data exfiltration. Consider using package allowlists or private registries to prevent resolution to malicious public packages.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-6697
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a4452db27e9c797198e051d

Added to database: 06/30/2026, 23:35:55 UTC

Last enriched: 06/30/2026, 23:43:35 UTC

Last updated: 06/30/2026, 23:43:35 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses