Which versions of jwtmode are malicious?

The following npm versions of jwtmode are flagged malicious: 1.0.4. Treat any of these as compromised.

How do I remediate jwtmode if I installed it?

Remove jwtmode from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is jwtmode part of a known attack campaign?

Yes — jwtmode is associated with the IN-MAL-2026-006975 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect jwtmode in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking jwtmode and packages like it before any post-install script runs.

Malicious package

jwtmodenpm

Malicious code in jwtmode (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6093

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall jwtmode

What this malware does

On require('jwtmode'), decode.js immediately invokes getThirdCookie(), which performs an HTTP GET to https://jsonkeeper.com/b/AZ9ZF, takes the response field response.data.errCode, passes it to new Function.constructor('require', errCode), and invokes the resulting function with the real Node require. This is unconditional remote code execution at import time from a mutable, attacker-controlled paste host, with full Node capability (filesystem, network, child_process) via require. The package additionally impersonates auth0's jsonwebtoken: it is named jwtmode, declares author: auth0, points its repository field at a non-existent github.com/auth0/node-jwtmode, and re-exports jsonwebtoken's public API surface (decode, JsonWebTokenError, NotBeforeError, TokenExpiredError) — a brand-impersonation lure to trick developers into installing it instead of jsonwebtoken. Any project that requires jwtmode will execute whatever JavaScript the operator of jsonkeeper.com/b/AZ9ZF chooses to serve at that moment.

Malicious versions

1 flagged

1.0.4

Indicators of compromise (SHA-256)

b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a

Frequently asked questions

No. jwtmode on npm has been identified as a malicious package (version 1.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006975

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection