Which versions of ssr-auth-sync are malicious?

The following npm versions of ssr-auth-sync are flagged malicious: 1.6.16. Treat any of these as compromised.

How do I remediate ssr-auth-sync if I installed it?

Remove ssr-auth-sync from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ssr-auth-sync part of a known attack campaign?

Yes — ssr-auth-sync is associated with the IN-MAL-2026-006844 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ssr-auth-sync in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ssr-auth-sync and packages like it before any post-install script runs.

Malicious package

ssr-auth-syncnpm

Malicious code in ssr-auth-sync (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5934

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ssr-auth-sync

What this malware does

On require('ssr-auth-sync'), index.js loads lib/writer.js, which immediately fetches a base64-hidden URL (https://www.jsonkeeper.com/b/PJNZP, an anonymous pastebin-style host) via axios and passes the response body to eval. Just before the fetch, writer.js assembles an object containing the full process.env spread plus os.hostname(), os.userInfo().username, os.platform(), package version, and MAC addresses; this object is in lexical scope when eval runs, giving the attacker-served code a ready-to-exfiltrate payload of every secret in the installer's or CI's environment (AWS keys, npm tokens, CI secrets, etc.). A second covert channel is also present: a hex-decoding helper g() and an array hl containing hex-encoded strings that decode to 'axios', 'get', 'https://www.jsonkeeper.com/b/HY6M6', and 'then' — a parallel dropper hidden from string scanners. The package falsely advertises itself as an 'SSR auth sync' module while exporting a pino-shaped API and shipping pino-*.png brand assets, impersonating the popular pino logger to attract installs. Any project that adds this package to its dependency tree executes attacker-controlled code in its Node process the moment the module is required.

Malicious versions

1 flagged

1.6.16

Indicators of compromise (SHA-256)

7fe43338279cb894ffacc18ef9ec757d4b4fa8b603672b0bedcb4c00d9f8a806

Frequently asked questions

No. ssr-auth-sync on npm has been identified as a malicious package (version 1.6.16 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006844

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection