MAL-2026-10449
Malicious code in auth-gen-next (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (49e38202e2579f6591dbc161817859bb99a212cbf6c1e5482b3271acf8fc4de0) The package impersonates the pino logger (README assets, keywords, and internal filenames such as lib/proto.js, lib/multistream.js, lib/redaction.js, lib/transport.js, lib/writer.js are pino-branded) but its declared purpose is unrelated. On require, index.js loads lib/writer.js, which builds an object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, then unconditionally invokes context.data() from lib/content.js. That function issues an axios GET to https://pro-api.coinmarketcap.com/public-api/v1/ and eval()s a heavily obfuscated string (obfuscator.io-style string array with base64/XOR/RC4 decoders) that reconstructs a JSON-RPC eth_call transport, XOR-decodes the response, and spawns a child process using process.execPath to execute the retrieved payload. lib/writer.js additionally contains a hex-encoded fallback loader decoding to https://www.jsonkeeper.com/b/HY6M6. lib/content.js is heavily obfuscated (while(!![]), array-shift decoder) to hide the destinations and payload from review.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for auth-gen-next (npm). Pin to a known-safe version or switch to an alternative.