Which versions of auth0.net are malicious?

The following npm versions of auth0.net are flagged malicious: 7.22.1, 39.1.0. Treat any of these as compromised.

How do I remediate auth0.net if I installed it?

Remove auth0.net from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is auth0.net part of a known attack campaign?

Yes — auth0.net is associated with the RLMA-2024-00377, RLUA-2024-06178, IN-MAL-2026-006011 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect auth0.net in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking auth0.net and packages like it before any post-install script runs.

Malicious package

auth0.netnpm

Malicious code in auth0.net (npm) Remove it immediately and rotate any exposed credentials.

MAL-2024-1783

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall auth0.net

What this malware does

On npm install, package.json's preinstall (and preupdate/test) hook runs nslookup bkxajsfkvlurhaoeotqbqf3fg2sitbxll.oast.fun. The destination oast.fun is the Project Discovery interactsh out-of-band callback service used to confirm code execution on victim hosts via a unique DNS subdomain. Firing automatically on install leaks the installer's existence and the corporate DNS resolver's egress IP to an attacker-controlled nameserver, with the unique subdomain serving as a per-victim correlation token. The package itself is hollow — index.js is empty, description is the placeholder 'Internal package', and author is 'Team' — and the package name auth0.net impersonates the Auth0 brand, consistent with a dependency-confusion attempt against an internal Auth0/.NET package name. The DNS beacon is the recon stage of that attack: the operator learns which organizations have misconfigured their registry resolution to pull this public package instead of an internal one, enabling targeted follow-on compromise.

Malicious versions

2 flagged

7.22.139.1.0

Indicators of compromise (SHA-256)

31fb618f0bf6bb37e60f2a94d7ae0fb90ca439b8e141db9520a006242a335b55

a033bb29ca10ee2dc795b9b881533ca73ab35ca29f4f421f7871a6057ac58ecf

299295a8f62b96e6336a60ce85d2212185bf0cf424cc548d8bca9f0b14ed85c1

Frequently asked questions

No. auth0.net on npm has been identified as a malicious package (versions 7.22.1, 39.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-00377RLUA-2024-06178IN-MAL-2026-006011

References

npmjs.com

Credits

Amazon Inspector · finder
ReversingLabs · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection