Malware in authvaultx
Malware discovered in the npm package authvaultx. Systems with this package installed or running are considered fully compromised and require immediate remediation.
- Disclosed
- Last updated
- Blast radius
- Any system with authvaultx installed or running
- Ecosystems
- Attack vectors
- Affected entities
- authvaultx
The npm package authvaultx has been identified as containing malware. According to the GitHub Advisory (GHSA-frr6-2jc6-6fhr), any computer with this package installed or running should be considered fully compromised.\n\nThe advisory recommends that all secrets and keys stored on affected computers be rotated immediately from a different, uncompromised system. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the initial compromise, given that the attacker may have gained full control of the system.\n\nThis is a critical supply chain incident affecting the npm ecosystem.
Indicators of compromise
- Packages
- authvaultx
Remediation
- Immediately isolate any system with authvaultx installed from the network
- Rotate all secrets, API keys, and credentials from a different, uncompromised computer
- Remove the authvaultx package from all affected systems
- Perform a full security audit and malware scan of affected systems
- Review system logs for unauthorized access or activity
- Consider full system rebuild if full compromise is suspected
Sources
- GitHub Advisory GHSA-frr6-2jc6-6fhr · GitHub Advisory Database
Cite this entry
"Malware in authvaultx." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 11, 2026; last updated July 11, 2026. https://supplychainattack.org/incident/malware-in-authvaultx-sib1k6
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malware in auth-next-gen
Malware was discovered in the npm package auth-next-gen. Systems with this package installed or running should be considered fully compromised, with all secrets and keys requiring immediate rotation from a different computer.
npmCompromised package - activecritical
Malware in @redhat-cloud-services/vulnerabilities-client
Malware was discovered in the npm package @redhat-cloud-services/vulnerabilities-client. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - activecritical
Malware in @redhat-cloud-services/types
Malware was discovered in the npm package @redhat-cloud-services/types. Systems with this package installed or running should be considered fully compromised. All secrets and keys stored on affected computers should be rotated immediately from a different computer.
npmCompromised package - activecritical
Malware in chai-defender
The npm package chai-defender contains malware that fully compromises any system where it is installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.
npmCompromised package