registry  /  react-jsonwebtoken  /  9.0.5

react-jsonwebtoken@9.0.5

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10132 confirms this npm version as malicious. Package name mimics the widely-used 'jsonwebtoken' library and falsely declares 'auth0' as author, while the repository URL points to the unrelated 'github.com/radix-ui/primitives'. On require(), decode.js unconditionally invokes a helper (getThirdCookie) that performs an HTTPS GET to https://jsonkeeper.com/b/E69V3 — an anonymous, mutable paste endpoint — and passes the response body into `new...

Advisory
MAL-2026-10132
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in react-jsonwebtoken (npm)
Details
Package name mimics the widely-used 'jsonwebtoken' library and falsely declares 'auth0' as author, while the repository URL points to the unrelated 'github.com/radix-ui/primitives'. On require(), decode.js unconditionally invokes a helper (getThirdCookie) that performs an HTTPS GET to https://jsonkeeper.com/b/E69V3 — an anonymous, mutable paste endpoint — and passes the response body into `new Function.constructor("require", errCode)`, then executes the resulting function with the host's require. This grants the remote content full Node.js capabilities on the consumer's machine as soon as any code loads the module. The code path is hidden behind a benign-sounding helper name and uses indirect Function construction to evade simple pattern matching. The combination of impersonated author metadata, name confusion with a top-100 auth library, and an obfuscated require-time remote-code loader is an unambiguous supply-chain attack.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
Network
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 5.70 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Medium1 Low
MediumNetwork
LowScripts Present