{"id":"MAL-2026-6093","summary":"Malicious code in jwtmode (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a)\nOn require('jwtmode'), decode.js immediately invokes getThirdCookie(), which performs an HTTP GET to https://jsonkeeper.com/b/AZ9ZF, takes the response field response.data.errCode, passes it to `new Function.constructor('require', errCode)`, and invokes the resulting function with the real Node `require`. This is unconditional remote code execution at import time from a mutable, attacker-controlled paste host, with full Node capability (filesystem, network, child_process) via `require`. The package additionally impersonates auth0's jsonwebtoken: it is named jwtmode, declares `author: auth0`, points its repository field at a non-existent github.com/auth0/node-jwtmode, and re-exports jsonwebtoken's public API surface (decode, JsonWebTokenError, NotBeforeError, TokenExpiredError) — a brand-impersonation lure to trick developers into installing it instead of jsonwebtoken. Any project that requires jwtmode will execute whatever JavaScript the operator of jsonkeeper.com/b/AZ9ZF chooses to serve at that moment.\n","modified":"2026-06-18T05:46:39.885884551Z","published":"2026-06-18T04:09:05Z","database_specific":{"malicious-packages-origins":[{"sha256":"b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a","modified_time":"2026-06-18T04:09:05Z","id":"IN-MAL-2026-006975","source":"amazon-inspector","versions":["1.0.4"],"import_time":"2026-06-18T05:42:06.272970901Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/jwtmode/v/1.0.4"}],"affected":[{"package":{"name":"jwtmode","ecosystem":"npm","purl":"pkg:npm/jwtmode"},"versions":["1.0.4"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"16219e9c59eeb1144ba730e1c61f54223229f203358ecac0775c83d5afa5968f973bd5","path":"decode.js","sha256":"f08ebf8d613913678be0788cdb3c3b3872dfa87ee4001ac2d432b7b72306d06f"},{"tlsh":"96215712cd649db31adda1e59d2d008276658c478d84bd0c33ea074c4f6d53f25feaac","path":"package.json","sha256":"f452cd692fe2c7919c9989238ce7068052f52afe3fa1fb0ede8a1939ee506f6c"}],"package_integrity":[{"filename":"jwtmode-1.0.4.tgz","hashes":{"sha512_sri":"sha512-IvLcmkTthtv51TmRaV5Be9eWmxZuv0pDQkryokTRdWLZLsZ1s9qX8IPV8Y4dF6i8DOw+ezhrqFnrTD08nyDIgQ==","sha1":"262b4f36f0a35169ec6d78ca045bf5c79d2873b5"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jwtmode/MAL-2026-6093.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}