MAL-2026-6093

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jwtmode/MAL-2026-6093.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6093

Published

2026-06-18T04:09:05Z

Modified

2026-06-18T05:46:39.885884551Z

Summary

Malicious code in jwtmode (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a)

On require('jwtmode'), decode.js immediately invokes getThirdCookie(), which performs an HTTP GET to https://jsonkeeper.com/b/AZ9ZF, takes the response field response.data.errCode, passes it to new Function.constructor('require', errCode), and invokes the resulting function with the real Node require. This is unconditional remote code execution at import time from a mutable, attacker-controlled paste host, with full Node capability (filesystem, network, child_process) via require. The package additionally impersonates auth0's jsonwebtoken: it is named jwtmode, declares author: auth0, points its repository field at a non-existent github.com/auth0/node-jwtmode, and re-exports jsonwebtoken's public API surface (decode, JsonWebTokenError, NotBeforeError, TokenExpiredError) — a brand-impersonation lure to trick developers into installing it instead of jsonwebtoken. Any project that requires jwtmode will execute whatever JavaScript the operator of jsonkeeper.com/b/AZ9ZF chooses to serve at that moment.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T04:09:05Z",
            "id": "IN-MAL-2026-006975",
            "versions": [
                "1.0.4"
            ],
            "import_time": "2026-06-18T05:42:06.272970901Z"
        }
    ]
}

References

https://www.npmjs.com/package/jwtmode/v/1.0.4

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / jwtmode

Package

Name: jwtmode; View open source insights on deps.dev
Purl: pkg:npm/jwtmode

Affected ranges

Affected versions

1.*

1.0.4

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jwtmode/MAL-2026-6093.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "f08ebf8d613913678be0788cdb3c3b3872dfa87ee4001ac2d432b7b72306d06f",
            "tlsh": "16219e9c59eeb1144ba730e1c61f54223229f203358ecac0775c83d5afa5968f973bd5",
            "path": "decode.js"
        },
        {
            "sha256": "f452cd692fe2c7919c9989238ce7068052f52afe3fa1fb0ede8a1939ee506f6c",
            "tlsh": "96215712cd649db31adda1e59d2d008276658c478d84bd0c33ea074c4f6d53f25feaac",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-IvLcmkTthtv51TmRaV5Be9eWmxZuv0pDQkryokTRdWLZLsZ1s9qX8IPV8Y4dF6i8DOw+ezhrqFnrTD08nyDIgQ==",
                "sha1": "262b4f36f0a35169ec6d78ca045bf5c79d2873b5"
            },
            "filename": "jwtmode-1.0.4.tgz"
        }
    ]
}