OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10116 confirms this npm version as malicious. On module load, jwtmethod's decode.js executes a top-level routine that performs an HTTPS GET to https://jsonkeeper.com/b/E69V3 and passes the response body to `new Function.constructor('require', errCode)`, then invokes the resulting function with the host's `require`. The fetched content is attacker-controlled (jsonkeeper.com is a mutable third-party paste host) and is executed with full Node capabilities, giving...
Advisory
MAL-2026-10116
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in jwtmethod (npm)
Details
On module load, jwtmethod's decode.js executes a top-level routine that performs an HTTPS GET to https://jsonkeeper.com/b/E69V3 and passes the response body to `new Function.constructor('require', errCode)`, then invokes the resulting function with the host's `require`. The fetched content is attacker-controlled (jsonkeeper.com is a mutable third-party paste host) and is executed with full Node capabilities, giving the attacker arbitrary code execution on the installer's machine the moment any consumer imports the package. Package metadata is forged to impersonate the auth0/jsonwebtoken ecosystem: package.json sets `author: auth0` and points `repository`/`bugs` at github.com/radix-ui/primitives, and README.md is the unrelated `react-text` documentation from radix-ui — a lure designed to entice installers looking for a JWT library.
Decision reason
OpenSSF Malicious Packages via OSV confirms jwtmethod@1.1.10 as malicious (MAL-2026-10116): Malicious code in jwtmethod (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory