authsessionbridge @1.6.29
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6657
Ecosystem
npm
Summary
On require, lib/constants.js (reached transitively from the package main) issues an axios GET to a base64-obfuscated URL at jsonkeeper.com (https://www.jsonkeeper.com/b/PJNZP, with a second endpoint https://www.jsonkeeper.com/b/HY6M6 hex-decoded in the same file) and passes the response body directly to eval(). Immediately before the remote fetch the file constructs an object spreading the full process.env together with os.platform(), os.hostname(), os.userInfo().username and non-internal MAC addresses; this object is in-scope for the eval'd payload, giving the remote operator arbitrary code execution and access to all environment variables and host identifiers of the importing process. Strings such as 'axios', 'get', 'then', and the second jsonkeeper URL are reconstructed via a hex-decoder helper and a base64/atob wrapper to evade casual review and string scanners. The package is published as 'authsessionbridge' with a README about session management, but the shipped tree (pino-banner.png, pino-logo-hire.png, pino-tree.png, lib/proto.js, lib/redaction.js, lib/transport.js, lib/worker.js, lib/multistream.js, keywords 'fast,logger,stream,json', a main function literally named pino, and a 'smoke:pino' script) impersonates the pino logger to lure installs.
Source: amazon-inspector (8c7726c32d14f31a311ae45a86c88fb5c478b8e89d9c71981b7c8ad1da946739)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.