VYPR

npm · Malicious package advisory

Malware

claimora

MAL-2026-5608

Malicious code in claimora (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1b785b842f24aeae0e20157784b17a8bff7003e72575ac9a3aa9cbeb550a5c92)
claimora impersonates the jsonwebtoken library (auth0): package.json sets author to "auth0", points repository at a non-existent github.com/auth0/node-claimora, and re-exports the jsonwebtoken API surface (sign/verify/decode plus JsonWebTokenError/NotBeforeError/TokenExpiredError). README and LICENSE text are copied from node-jsonwebtoken. The main entry index.js loads decode.js, which at module top level invokes getThirdCookie() — this issues an axios GET to https://jsonkeeper.com/b/0GXBD, takes response.data.errCode (attacker-controlled JavaScript on a mutable public paste service), constructs `new Function.constructor("require", errCode)`, and invokes the resulting handler with `require`. Any process that requires claimora executes whatever code the operator of that paste currently serves, with full Node module access (filesystem, network, child_process, env). The legitimate jsonwebtoken library performs zero network I/O; this clone adds a remote-fetch-and-eval path executed unconditionally on import.

Compromised versions (1)

  • 1.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.