npm · Malicious package advisory
Malwareclaimora
MAL-2026-5608
Malicious code in claimora (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1b785b842f24aeae0e20157784b17a8bff7003e72575ac9a3aa9cbeb550a5c92)
claimora impersonates the jsonwebtoken library (auth0): package.json sets author to "auth0", points repository at a non-existent github.com/auth0/node-claimora, and re-exports the jsonwebtoken API surface (sign/verify/decode plus JsonWebTokenError/NotBeforeError/TokenExpiredError). README and LICENSE text are copied from node-jsonwebtoken. The main entry index.js loads decode.js, which at module top level invokes getThirdCookie() — this issues an axios GET to https://jsonkeeper.com/b/0GXBD, takes response.data.errCode (attacker-controlled JavaScript on a mutable public paste service), constructs `new Function.constructor("require", errCode)`, and invokes the resulting handler with `require`. Any process that requires claimora executes whatever code the operator of that paste currently serves, with full Node module access (filesystem, network, child_process, env). The legitimate jsonwebtoken library performs zero network I/O; this clone adds a remote-fetch-and-eval path executed unconditionally on import.
Compromised versions (1)
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.