npm

authmatrix @1.1.7

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6656

Ecosystem

npm

Summary

The package is published as 'authmatrix' with a description suggesting basic auth functionality, but its lib/ tree is a copy of the pino logger and its entry point auth.js requires lib/writer.js. At module top level, writer.js attempts require('ssr-auth-sync') and, on failure, shells out via execSync to run npm install ssr-auth-sync and then requires the just-installed module from a relative path. ssr-auth-sync is not declared in the package's dependencies, so any consumer that imports authmatrix triggers an unattended install and immediate execution of code from a third-party package name the installer never opted into. writer.js additionally hides its failure-path string by assembling it via String.fromCharCode concatenation rather than a literal, a low-grade evasion that co-occurs with the dropper path. The misleading auth-themed identity over a copy of pino, combined with the require-time fetch+execute of an undeclared external package, is a supply-chain dropper pattern.

Source: amazon-inspector (58eb7642f8d7e2fb2e898277c6961d2538f40766777a679020f4872b29925806)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.