MAL-2026-6657

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/authsessionbridge/MAL-2026-6657.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6657
Aliases
  • GHSA-m936-8h93-fqm9
Published
2026-06-29T14:00:15Z
Modified
2026-07-09T17:31:58.240670210Z
Summary
Malicious code in authsessionbridge (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c7726c32d14f31a311ae45a86c88fb5c478b8e89d9c71981b7c8ad1da946739)

On require, lib/constants.js (reached transitively from the package main) issues an axios GET to a base64-obfuscated URL at jsonkeeper.com (https://www.jsonkeeper.com/b/PJNZP, with a second endpoint https://www.jsonkeeper.com/b/HY6M6 hex-decoded in the same file) and passes the response body directly to eval(). Immediately before the remote fetch the file constructs an object spreading the full process.env together with os.platform(), os.hostname(), os.userInfo().username and non-internal MAC addresses; this object is in-scope for the eval'd payload, giving the remote operator arbitrary code execution and access to all environment variables and host identifiers of the importing process. Strings such as 'axios', 'get', 'then', and the second jsonkeeper URL are reconstructed via a hex-decoder helper and a base64/atob wrapper to evade casual review and string scanners. The package is published as 'authsessionbridge' with a README about session management, but the shipped tree (pino-banner.png, pino-logo-hire.png, pino-tree.png, lib/proto.js, lib/redaction.js, lib/transport.js, lib/worker.js, lib/multistream.js, keywords 'fast,logger,stream,json', a main function literally named pino, and a 'smoke:pino' script) impersonates the pino logger to lure installs.

Source: ghsa-malware (f5a26abcb9ddf24df87b49d98bed85bbcb21069aaf70f9768817a72698c9598e)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "id": "GHSA-m936-8h93-fqm9",
            "source": "ghsa-malware",
            "import_time": "2026-06-29T17:14:01.292371187Z",
            "modified_time": "2026-06-29T14:00:15Z",
            "sha256": "f5a26abcb9ddf24df87b49d98bed85bbcb21069aaf70f9768817a72698c9598e"
        },
        {
            "modified_time": "2026-07-09T16:57:08Z",
            "id": "IN-MAL-2026-009332",
            "source": "amazon-inspector",
            "import_time": "2026-07-09T17:19:25.167113999Z",
            "sha256": "8c7726c32d14f31a311ae45a86c88fb5c478b8e89d9c71981b7c8ad1da946739",
            "versions": [
                "1.6.29"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / authsessionbridge

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6.29

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "lib/constants.js",
            "tlsh": "e2e02be278d87022ba4649f0943c458631528526740f7def01a70a4c0aed9813970ec5",
            "sha256": "f0be485061a3a8d768580035489ab78fd3e15bbe4a3d5000c8dba2336b11fa8b"
        },
        {
            "path": "package.json",
            "tlsh": "8701b800dd65aeb304c82692482a1147a3a18c5f5808bd1833dba32c0f5c47f15ff29c",
            "sha256": "ee28aac5a76d1d8031076697caa18ede2f4032f336b1e39b9f2b831278c61f14"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/authsessionbridge/MAL-2026-6657.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]