Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in auth-next-gen (npm)

auth-next-gen

Risk score

92

AI summary

Indexed incident for auth-next-gen (npm).

Description

On require of auth-next-gen, index.js loads lib/writer.js, which at module top level performs an axios GET against a base64-obfuscated URL (https://www.jsonkeeper.com/b/GS6NQ, with a second hex-encoded URL https://www.jsonkeeper.com/b/HY6M6 staged the same way) and passes the response body to eval(), yielding arbitrary code execution on the installer under attacker control. In parallel, writer.js builds a data object at module top containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, staged alongside the fetched payload for exfiltration. The destination URLs and the axios/get/then identifiers are hidden behind base64 (atob) and a hex-decoding helper. The package.json advertises the module as an SSR auth-sync helper and the code, keywords (logger, stream, json), and image assets (pino-banner.png, pino-logo-hire.png) are lifted from the pino logger project, functioning as a lure that is unrelated to the actual payload in writer.js. jsonkeeper.com is an anonymous pastebin-style host with mutable content — the exec'd bytes can change at any time without a package update.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=1.6.29=1.7.11=1.7.2>=0

Indicators

  • Advisory IDs
    90%
  • affected version=1.6.2975%
  • affected version=1.7.1175%
  • affected version=1.7.275%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents