{"id":"MAL-2026-4592","summary":"Malicious code in jsontoken-extend (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742)\nOn require()/import of jsontoken-extend, sign.js executes a top-level IIFE that base64-decodes a hardcoded string to https://www.jsonkeeper.com/b/XAMRK, fetches the JSON body, and passes data.content directly to eval(). jsonkeeper.com is an anonymous, mutable paste service — the author can change the executed payload at any time without republishing the package, giving arbitrary remote code execution on every consumer at import time. A second base64-encoded URL (https://www.jsonkeeper.com/b/W80UP) is staged but commented out, indicating multiple prepared payloads. The package name and public API (sign/verify/decode plus JsonWebTokenError/NotBeforeError/TokenExpiredError) mirror the popular jsonwebtoken library exactly, and it even declares jsonwebtoken as a dependency to pass through legitimate-looking calls — a typosquat lure to attract developers searching for the real JWT library. Base64-wrapping the C2 URLs is a deliberate static-analysis evasion. Three independent block signals are present: import-time fetch+eval from an anonymous mutable host, typosquat naming/API mirroring with malicious payload, and obfuscated C2 URL constants.\n","modified":"2026-05-26T06:02:37.692513721Z","published":"2026-05-25T15:26:07Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:08.670729079Z","source":"amazon-inspector","id":"IN-MAL-2026-004715","versions":["1.0.12"],"sha256":"166f0f03fe28af87dca30356e92bd090fdf203f729aa761976487a818212e830","modified_time":"2026-05-25T15:58:04Z"},{"import_time":"2026-05-26T05:53:08.789544431Z","source":"amazon-inspector","id":"IN-MAL-2026-004716","versions":["1.0.12"],"sha256":"8907906fb6b1164ec1dc6d4ddf86f76c0ddbe872cae57a5655b72450b08049dc","modified_time":"2026-05-25T15:58:18Z"},{"import_time":"2026-05-26T05:53:06.819413501Z","source":"amazon-inspector","id":"IN-MAL-2026-004700","versions":["1.0.11"],"sha256":"a6ee9c49ff4f24ff70f0f61fd7de9e1a73b10b57f3bbafe4fda47cb01cf92ebf","modified_time":"2026-05-25T15:26:12Z"},{"import_time":"2026-05-26T05:53:06.681293593Z","source":"amazon-inspector","id":"IN-MAL-2026-004699","versions":["1.0.11"],"sha256":"59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742","modified_time":"2026-05-25T15:26:07Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/jsontoken-extend/v/1.0.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/jsontoken-extend/v/1.0.11"}],"affected":[{"package":{"name":"jsontoken-extend","ecosystem":"npm","purl":"pkg:npm/jsontoken-extend"},"versions":["1.0.12","1.0.11"],"database_specific":{"indicators":{"package_integrity":[{"filename":"jsontoken-extend-1.0.12.tgz","hashes":{"sha512_sri":"sha512-FzEAwh5mAu3FoJ8/MsywR7aJMX29wpcvywcm1YjoOQN202mOp3zzsFjkTn4LMSAyHOJ3Np4pn9NC9rttUu4ZlA==","sha1":"a4e44ac13141db7ab9df422b01dcb09227aea2ca"}}],"evidence_files":[{"tlsh":"af227244a4f2922288a320f2f44fe507b539e697356c6ed176cc4394cf898e4e6f7a94","sha256":"e135d3304dec791ebc5bbe8de68881b5e0e287d0bb7b283ada42c0e2aaaba3b5","path":"sign.js"},{"tlsh":"8a216801ce18ce6311d9a2e66e2d0583592188439d84fc0d33ea578c0f5c63f39bea6c","sha256":"bde0631a9b7e3e43398e1769f303c82c0d5742b6c33949c9fe19b0e114e987ac","path":"package.json"}],"domains":["www.jsonkeeper.com","34.4.16.104.in-addr.arpa","ip-api.com"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jsontoken-extend/MAL-2026-4592.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}