auth-state-service @1.6.16
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6655
Ecosystem
npm
Summary
On require('auth-state-service'), the package loads lib/writer.js, which at top level attempts require('ssr-auth-sync') and on failure shells out via execSync to npm install ssr-auth-sync --no-warnings --no-save --no-progress --loglevel silent (windowsHide: true), then require('../../ssr-auth-sync/index.js'). The fetched dependency is unpinned, unverified, separately published, and its code executes inside the consumer's process — a chained-package dropper that keeps the actual payload out of the surface package. Corroborating signals: the only user-visible cover-story error in lib/writer.js is built by concatenating ~80 String.fromCharCode calls (decoding to 'Error: This environment is not supported. Please select the supported environment.') rather than written as a literal, an evasion pattern with no functional purpose. The package identity is also inconsistent — package.json advertises 'auth-state-service' for 'handling user verification' with keywords [fast, logger, stream, json], while lib/ is a verbatim pino logger source tree (proto.js, redaction.js, multistream.js) and ships pino-banner.png, pino-tree.png, pino-logo-hire.png, pretty-demo.png. The mismatched cover identity, combined with the silent unpinned remote install at require time, is a clear supply-chain attack shape.
Source: amazon-inspector (9fc857733e3c372868625f57425574859c653eb8ac16c97171aa9e929de13ca6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.