npm

auth-next-gen @1.7.11

Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC

Malicious

OSV ID

MAL-2026-10180

Ecosystem

npm

Summary

On require of auth-next-gen, index.js loads lib/writer.js, which at module top level performs an axios GET against a base64-obfuscated URL (https://www.jsonkeeper.com/b/GS6NQ, with a second hex-encoded URL https://www.jsonkeeper.com/b/HY6M6 staged the same way) and passes the response body to eval(), yielding arbitrary code execution on the installer under attacker control. In parallel, writer.js builds a data object at module top containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, staged alongside the fetched payload for exfiltration. The destination URLs and the axios/get/then identifiers are hidden behind base64 (atob) and a hex-decoding helper. The package.json advertises the module as an SSR auth-sync helper and the code, keywords (logger, stream, json), and image assets (pino-banner.png, pino-logo-hire.png) are lifted from the pino logger project, functioning as a lure that is unrelated to the actual payload in writer.js. jsonkeeper.com is an anonymous pastebin-style host with mutable content — the exec'd bytes can change at any time without a package update.

Source: amazon-inspector (fe0926f0a2c1f47072efaac014be38bb00c8e9f31f59badf188b1ed74dd5c2ce)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.