Malware in auth-next-gen
Malware was discovered in the npm package auth-next-gen. Systems with this package installed or running should be considered fully compromised, with all secrets and keys requiring immediate rotation from a different computer.
- Disclosed
- Last updated
- Blast radius
- Any system with the package installed or running
- Ecosystems
- Attack vectors
- Affected entities
- auth-next-gen
The npm package auth-next-gen was found to contain malware. According to the GitHub Advisory (GHSA-8qpp-8j53-4wh7), any computer with this package installed or running should be considered fully compromised.\n\nImmediate remediation requires rotating all secrets and keys stored on affected systems from a different, uncompromised computer. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise.\n\nThe advisory was published on 2026-07-11 via the GitHub Advisory Database.
Indicators of compromise
- Packages
- auth-next-gen
Remediation
- Immediately rotate all secrets, keys, and credentials stored on any system that had auth-next-gen installed or running, using a different uncompromised computer
- Remove the auth-next-gen package from all affected systems
- Conduct a full security audit and forensic analysis of any system that had this package installed
- Monitor affected systems for signs of persistent malware or unauthorized access
- Review and revoke any credentials or API keys that may have been exposed
Sources
- GitHub Advisory GHSA-8qpp-8j53-4wh7 · GitHub Advisory Database
Cite this entry
"Malware in auth-next-gen." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 11, 2026; last updated July 11, 2026. https://supplychainattack.org/incident/malware-in-auth-next-gen-101qvo
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in authvaultx
Malware discovered in the npm package authvaultx. Systems with this package installed or running are considered fully compromised and require immediate remediation.
npmCompromised package - activecritical
Malware in @redhat-cloud-services/vulnerabilities-client
Malware was discovered in the npm package @redhat-cloud-services/vulnerabilities-client. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - activecritical
Malware in @redhat-cloud-services/types
Malware was discovered in the npm package @redhat-cloud-services/types. Systems with this package installed or running should be considered fully compromised. All secrets and keys stored on affected computers should be rotated immediately from a different computer.
npmCompromised package - activecritical
Malware in chai-defender
The npm package chai-defender contains malware that fully compromises any system where it is installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.
npmCompromised package