MAL-2026-10132

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-jsonwebtoken/MAL-2026-10132.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10132
Published
2026-07-10T16:16:01Z
Modified
2026-07-10T16:32:00.259675300Z
Summary
Malicious code in react-jsonwebtoken (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2b46ca6ae72ce6f079c34ec6d1d1d2be46b36fe429374393f0fe57539fe56ee3)

Package name mimics the widely-used 'jsonwebtoken' library and falsely declares 'auth0' as author, while the repository URL points to the unrelated 'github.com/radix-ui/primitives'. On require(), decode.js unconditionally invokes a helper (getThirdCookie) that performs an HTTPS GET to https://jsonkeeper.com/b/E69V3 — an anonymous, mutable paste endpoint — and passes the response body into new Function.constructor("require", errCode), then executes the resulting function with the host's require. This grants the remote content full Node.js capabilities on the consumer's machine as soon as any code loads the module. The code path is hidden behind a benign-sounding helper name and uses indirect Function construction to evade simple pattern matching. The combination of impersonated author metadata, name confusion with a top-100 auth library, and an obfuscated require-time remote-code loader is an unambiguous supply-chain attack.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "2b46ca6ae72ce6f079c34ec6d1d1d2be46b36fe429374393f0fe57539fe56ee3",
            "id": "IN-MAL-2026-009640",
            "import_time": "2026-07-10T16:19:44.3724781Z",
            "modified_time": "2026-07-10T16:16:10Z",
            "versions": [
                "9.0.3"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "9.0.5"
            ],
            "id": "IN-MAL-2026-009639",
            "import_time": "2026-07-10T16:19:44.271341314Z",
            "modified_time": "2026-07-10T16:16:01Z",
            "sha256": "3792a6c469fb9e9266f414755e5e9ab46857e9f95a9852ea66261bcdbc80a4eb",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "9.0.4"
            ],
            "id": "IN-MAL-2026-009641",
            "import_time": "2026-07-10T16:19:44.503650229Z",
            "modified_time": "2026-07-10T16:16:17Z",
            "sha256": "4640784a797c88ab6742f7da14e8e13e7e33bf16a9a93c31104ffb130e051dbc",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / react-jsonwebtoken

Package

Affected ranges

Affected versions

9.*
9.0.3
9.0.4
9.0.5

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "react-jsonwebtoken-9.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-Uas9GELs34HVPMK/KSAjQAT3x/zcO6+MZkB6A8oBn2an5pYfELWpv8A8IEdZxHYKt4lFDkmFraioGiKQFT6hgw==",
                "sha1": "e5118012fffdb727b37bff35f6f1581f55c58da8"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "4a305f231188593c2695ad90b49a211de580d12c7e0db5f0903e3dd961627eb0",
            "tlsh": "e8218701cd24eda316dda2e49d6d018266204c439d88fc0c37ea035c4f6d53f25feaad",
            "path": "package.json"
        },
        {
            "sha256": "58ff55bc86bc3c045aaf4dcf1ed7d12dd6f3e38763a9a8dfdc8ac74ab1cf01c0",
            "tlsh": "6521acdc59eea1145ba730e0c61f54223128f203258eca80b75c83d5afa4928f973ad5",
            "path": "decode.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-jsonwebtoken/MAL-2026-10132.json"