npm

auth-gen-next @1.7.13

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10449

Ecosystem

npm

Summary

The package impersonates the pino logger (README assets, keywords, and internal filenames such as lib/proto.js, lib/multistream.js, lib/redaction.js, lib/transport.js, lib/writer.js are pino-branded) but its declared purpose is unrelated. On require, index.js loads lib/writer.js, which builds an object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, then unconditionally invokes context.data() from lib/content.js. That function issues an axios GET to https://pro-api.coinmarketcap.com/public-api/v1/ and eval()s a heavily obfuscated string (obfuscator.io-style string array with base64/XOR/RC4 decoders) that reconstructs a JSON-RPC eth_call transport, XOR-decodes the response, and spawns a child process using process.execPath to execute the retrieved payload. lib/writer.js additionally contains a hex-encoded fallback loader decoding to https://www.jsonkeeper.com/b/HY6M6. lib/content.js is heavily obfuscated (while(!![]), array-shift decoder) to hide the destinations and payload from review.

Source: amazon-inspector (49e38202e2579f6591dbc161817859bb99a212cbf6c1e5482b3271acf8fc4de0)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.