Summary
The sealed-env npm package patched a critical vulnerability (CVE-2026-45091) that leaked plaintext TOTP secrets in unseal tokens, allowing attackers to bypass two-factor authentication.
Take Action:
If you use the sealed-env npm package (versions 0.1.0-alpha.1 through 0.1.0-alpha.3), upgrade ASAP to 0.1.0-alpha.4 or later, as your TOTP secrets may be exposed in token logs, CI/CD build logs, container dumps, or third-party tools like Sentry. After upgrading you must rotate all TOTP secrets, re-seal any environment files protected by the vulnerable versions since the upgrade is a breaking change. Then review historical logs to purge any captured tokens.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)