npm · Malicious package advisory
Malwarejwtmode
MAL-2026-6093
Malicious code in jwtmode (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a)
On require('jwtmode'), decode.js immediately invokes getThirdCookie(), which performs an HTTP GET to https://jsonkeeper.com/b/AZ9ZF, takes the response field response.data.errCode, passes it to `new Function.constructor('require', errCode)`, and invokes the resulting function with the real Node `require`. This is unconditional remote code execution at import time from a mutable, attacker-controlled paste host, with full Node capability (filesystem, network, child_process) via `require`. The package additionally impersonates auth0's jsonwebtoken: it is named jwtmode, declares `author: auth0`, points its repository field at a non-existent github.com/auth0/node-jwtmode, and re-exports jsonwebtoken's public API surface (decode, JsonWebTokenError, NotBeforeError, TokenExpiredError) — a brand-impersonation lure to trick developers into installing it instead of jsonwebtoken. Any project that requires jwtmode will execute whatever JavaScript the operator of jsonkeeper.com/b/AZ9ZF chooses to serve at that moment.
Compromised versions (1)
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.