ZeroDayWire ADVISORY: NPM Package 'Next-Auth' Hijacked, Millions of Apps at Risk

(ZeroDayWire) – A widespread and critical software supply chain attack is underway, targeting millions of web applications that rely on the popular NPM package "Next-Auth" (now known as Auth.js). Security researchers have confirmed that the official NPM account of a lead maintainer for the project was compromised, allowing attackers to publish malicious versions of the widely used authentication library. Any application that has updated to these compromised versions is at immediate risk of credential and session token theft. This incident represents a nightmare scenario for the JavaScript ecosystem and a critical threat for any company using the library.

The Attack: A Sophisticated Account Takeover

This was not an exploit against the code of Next-Auth itself, but an attack on the human element of the open-source supply chain. Attackers reportedly used a sophisticated phishing campaign to steal the NPM account credentials of a key developer on the project. Once they had control of this trusted account, they were able to publish new, malicious patch versions of the library to the official NPM registry.

These new versions contained all the original, legitimate code of Next-Auth, but with a few, small malicious lines of code added. This malicious code was designed to automatically harvest environment variables, API keys, and user session tokens from the server where the application was running and send them to an attacker-controlled server. Because the update was published by a legitimate maintainer, automated systems and developers across the world began pulling this poisoned version into their applications, unknowingly installing a backdoor.

The Impact: A Critical Blow to Web Authentication

Next-Auth/Auth.js is one of the most popular and trusted solutions for adding authentication to web applications, especially those built with the Next.js framework. It is used in millions of projects, from small personal websites to large enterprise platforms. A compromise of this library is devastating because it strikes at the very heart of an application's security: the login process.

By stealing API keys and session tokens, attackers can:

• Impersonate Users: Gain access to user accounts on the affected websites, view or modify their data, and perform actions on their behalf.
• Access Backend Systems: Use stolen server-side API keys to access and steal data from connected databases and other third-party services.
• Launch Further Attacks: Use the compromised web application as a trusted launchpad to attack its users.

Immediate Actions and Mitigation

Any organization using Next-Auth/Auth.js in their projects must take immediate action.

1. 1. Identify and Pin Dependencies: Immediately check your project's `package.json` and `package-lock.json` files to see which version of `next-auth` you are using. Identify and revert to the last known "safe" version. Implement version pinning in your package.json to prevent automatic updates to untrusted versions.
2. 2. Rotate All Secrets: Assume that all of your application's secrets—API keys, database credentials, and session signing keys—have been compromised. You must immediately begin the process of rotating every single one of them.
3. 3. Invalidate User Sessions: Force a global logout for all of your users to invalidate any session tokens that may have been stolen.
4. 4. Enable MFA on Package Registries: For developers, this incident is a critical reminder to secure your own NPM, GitHub, and other registry accounts with the strongest possible Multi-Factor Authentication (MFA) to prevent account takeovers.

Conclusion: The Open-Source Double-Edged Sword

The open-source ecosystem has enabled an unprecedented era of rapid software development, but it is built on a foundation of trust that can be shattered in an instant. This hijacking of a major NPM package demonstrates that the most critical vulnerability is often not in the code itself, but in the security of the developer accounts that maintain it. This incident is a painful lesson in the fragility of the software supply chain and a clear signal that organizations must adopt a "zero trust" approach not just for their networks, but for the very code they build their businesses on.