OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6657 confirms this npm version as malicious. On require, lib/constants.js (reached transitively from the package main) issues an axios GET to a base64-obfuscated URL at jsonkeeper.com (https://www.jsonkeeper.com/b/PJNZP, with a second endpoint https://www.jsonkeeper.com/b/HY6M6 hex-decoded in the same file) and passes the response body directly to eval(). Immediately before the remote fetch the file constructs an object spreading the full process.env together...
Advisory
MAL-2026-6657
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in authsessionbridge (npm)
Details
On require, lib/constants.js (reached transitively from the package main) issues an axios GET to a base64-obfuscated URL at jsonkeeper.com (https://www.jsonkeeper.com/b/PJNZP, with a second endpoint https://www.jsonkeeper.com/b/HY6M6 hex-decoded in the same file) and passes the response body directly to eval(). Immediately before the remote fetch the file constructs an object spreading the full process.env together with os.platform(), os.hostname(), os.userInfo().username and non-internal MAC addresses; this object is in-scope for the eval'd payload, giving the remote operator arbitrary code execution and access to all environment variables and host identifiers of the importing process. Strings such as 'axios', 'get', 'then', and the second jsonkeeper URL are reconstructed via a hex-decoder helper and a base64/atob wrapper to evade casual review and string scanners. The package is published as 'authsessionbridge' with a README about session management, but the shipped tree (pino-banner.png, pino-logo-hire.png, pino-tree.png, lib/proto.js, lib/redaction.js, lib/transport.js, lib/worker.js, lib/multistream.js, keywords 'fast,logger,stream,json', a main function literally named pino, and a 'smoke:pino' script) impersonates the pino logger to lure installs.
## Source: ghsa-malware (f5a26abcb9ddf24df87b49d98bed85bbcb21069aaf70f9768817a72698c9598e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms authsessionbridge@1.6.29 as malicious (MAL-2026-6657): Malicious code in authsessionbridge (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory