Which versions of jsontoken-extend are malicious?

The following npm versions of jsontoken-extend are flagged malicious: 1.0.11, 1.0.12, 1.0.13. Treat any of these as compromised.

How do I remediate jsontoken-extend if I installed it?

Remove jsontoken-extend from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is jsontoken-extend part of a known attack campaign?

Yes — jsontoken-extend is associated with the IN-MAL-2026-004715, IN-MAL-2026-004716, IN-MAL-2026-004700, IN-MAL-2026-004699, IN-MAL-2026-006072, IN-MAL-2026-006071 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect jsontoken-extend in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking jsontoken-extend and packages like it before any post-install script runs.

Malicious package

jsontoken-extendnpm

Malicious code in jsontoken-extend (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4592

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall jsontoken-extend

What this malware does

On require()/import of jsontoken-extend, sign.js executes a top-level IIFE that base64-decodes a hardcoded string to https://www.jsonkeeper.com/b/XAMRK, fetches the JSON body, and passes data.content directly to eval(). jsonkeeper.com is an anonymous, mutable paste service — the author can change the executed payload at any time without republishing the package, giving arbitrary remote code execution on every consumer at import time. A second base64-encoded URL (https://www.jsonkeeper.com/b/W80UP) is staged but commented out, indicating multiple prepared payloads. The package name and public API (sign/verify/decode plus JsonWebTokenError/NotBeforeError/TokenExpiredError) mirror the popular jsonwebtoken library exactly, and it even declares jsonwebtoken as a dependency to pass through legitimate-looking calls — a typosquat lure to attract developers searching for the real JWT library. Base64-wrapping the C2 URLs is a deliberate static-analysis evasion. Three independent block signals are present: import-time fetch+eval from an anonymous mutable host, typosquat naming/API mirroring with malicious payload, and obfuscated C2 URL constants.

Malicious versions

3 flagged

1.0.111.0.121.0.13

Indicators of compromise (SHA-256)

166f0f03fe28af87dca30356e92bd090fdf203f729aa761976487a818212e830

8907906fb6b1164ec1dc6d4ddf86f76c0ddbe872cae57a5655b72450b08049dc

a6ee9c49ff4f24ff70f0f61fd7de9e1a73b10b57f3bbafe4fda47cb01cf92ebf

59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742

2f3566df1a83addfc5b772c56cfe997bcdb881d49c26580103f9f2ad48b24894

c56d8cc26cf15186317bfa213696cc9d476306f590cf2710883f24671fdf3357

Frequently asked questions

No. jsontoken-extend on npm has been identified as a malicious package (versions 1.0.11, 1.0.12, 1.0.13 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004715IN-MAL-2026-004716IN-MAL-2026-004700IN-MAL-2026-004699IN-MAL-2026-006072IN-MAL-2026-006071

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection