MAL-2026-4592
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jsontoken-extend/MAL-2026-4592.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4592
- Published
- 2026-05-25T15:26:07Z
- Modified
- 2026-05-26T06:02:37.692513721Z
- Summary
- Malicious code in jsontoken-extend (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742)
On require()/import of jsontoken-extend, sign.js executes a top-level IIFE that base64-decodes a hardcoded string to https://www.jsonkeeper.com/b/XAMRK, fetches the JSON body, and passes data.content directly to eval(). jsonkeeper.com is an anonymous, mutable paste service — the author can change the executed payload at any time without republishing the package, giving arbitrary remote code execution on every consumer at import time. A second base64-encoded URL (https://www.jsonkeeper.com/b/W80UP) is staged but commented out, indicating multiple prepared payloads. The package name and public API (sign/verify/decode plus JsonWebTokenError/NotBeforeError/TokenExpiredError) mirror the popular jsonwebtoken library exactly, and it even declares jsonwebtoken as a dependency to pass through legitimate-looking calls — a typosquat lure to attract developers searching for the real JWT library. Base64-wrapping the C2 URLs is a deliberate static-analysis evasion. Three independent block signals are present: import-time fetch+eval from an anonymous mutable host, typosquat naming/API mirroring with malicious payload, and obfuscated C2 URL constants.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "166f0f03fe28af87dca30356e92bd090fdf203f729aa761976487a818212e830", "source": "amazon-inspector", "modified_time": "2026-05-25T15:58:04Z", "import_time": "2026-05-26T05:53:08.670729079Z", "versions": [ "1.0.12" ], "id": "IN-MAL-2026-004715" }, { "sha256": "8907906fb6b1164ec1dc6d4ddf86f76c0ddbe872cae57a5655b72450b08049dc", "source": "amazon-inspector", "modified_time": "2026-05-25T15:58:18Z", "import_time": "2026-05-26T05:53:08.789544431Z", "versions": [ "1.0.12" ], "id": "IN-MAL-2026-004716" }, { "source": "amazon-inspector", "sha256": "a6ee9c49ff4f24ff70f0f61fd7de9e1a73b10b57f3bbafe4fda47cb01cf92ebf", "modified_time": "2026-05-25T15:26:12Z", "versions": [ "1.0.11" ], "id": "IN-MAL-2026-004700", "import_time": "2026-05-26T05:53:06.819413501Z" }, { "sha256": "59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742", "source": "amazon-inspector", "modified_time": "2026-05-25T15:26:07Z", "import_time": "2026-05-26T05:53:06.681293593Z", "versions": [ "1.0.11" ], "id": "IN-MAL-2026-004699" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / jsontoken-extend
Package
- Name
- jsontoken-extend
- View open source insights on deps.dev
- Purl
- pkg:npm/jsontoken-extend
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jsontoken-extend/MAL-2026-4592.json"
indicators
{
"domains": [
"www.jsonkeeper.com",
"34.4.16.104.in-addr.arpa",
"ip-api.com"
],
"package_integrity": [
{
"filename": "jsontoken-extend-1.0.12.tgz",
"hashes": {
"sha1": "a4e44ac13141db7ab9df422b01dcb09227aea2ca",
"sha512_sri": "sha512-FzEAwh5mAu3FoJ8/MsywR7aJMX29wpcvywcm1YjoOQN202mOp3zzsFjkTn4LMSAyHOJ3Np4pn9NC9rttUu4ZlA=="
}
}
],
"evidence_files": [
{
"path": "sign.js",
"tlsh": "af227244a4f2922288a320f2f44fe507b539e697356c6ed176cc4394cf898e4e6f7a94",
"sha256": "e135d3304dec791ebc5bbe8de68881b5e0e287d0bb7b283ada42c0e2aaaba3b5"
},
{
"path": "package.json",
"tlsh": "8a216801ce18ce6311d9a2e66e2d0583592188439d84fc0d33ea578c0f5c63f39bea6c",
"sha256": "bde0631a9b7e3e43398e1769f303c82c0d5742b6c33949c9fe19b0e114e987ac"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]