npm

authvaultx @1.7.1

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10185

Ecosystem

npm

Summary

On require() of authvaultx (main: auth.js, which loads lib/writer.js), top-level code attempts to load the separately published npm package 'auth-next-gen'; if not present, it silently shells out to npm install auth-next-gen --loglevel silent and then immediately require() s ../../auth-next-gen/index.js , executing whatever that external package ships. The fetch destination is a separate registry package controlled by the same author space, so the payload can be swapped without republishing authvaultx. lib/writer.js also assembles its user-facing fallback error string via repeated String.fromCharCode() concatenation, obscuring intent from casual review and string scanners. The published package masquerades as a logger (pino banner/logo PNGs, pino-cloned docs/ directory, logger/stream/json keywords) while the README advertises authentication functionality and the actual on-require behavior is a second-stage loader — none of the advertised purposes (logger or auth module) requires fetching and executing another npm package at load time.

Source: amazon-inspector (c6c707d53e30a333f8b8cf03ac2480eee3e2fa9c3c3164b1a100d333c91f9f3a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.