MAL-2026-6313
Vulnerability from ossf_malicious_packages
@zynkit/jwtbytes (malicious version 0.5.3, published by zynkit-sk393b@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern -<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a JWT byte helper and ships real, working utility code (decoy base32/58/64/hex/ascii85 encoders) so it passes a glance, while bundling a much larger malicious payload at dist/prelude.cjs. package.json declares a postinstall hook ("node dist/prelude.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Malicious payload dist/prelude.cjs SHA-256: d06ee17d30ebb333ab2e5b6e8a1324fcf95edaaae17b6793ec0f3647338efda1.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (56c346069fc4ee120281c9431c9f9544452f0d67b783df08750e00faaba5251b)
The package's main entry dist/mod.cjs begins with require('./prelude.cjs').runPrepare();, so any require('@zynkit/jwtbytes') auto-runs a 280 KB obfuscator.io-style IIFE in dist/prelude.cjs. The IIFE uses an RC4+base64 string-array decoder, anti-debug traps (RegExp/setInterval, console neutralization, --inspect/--inspect-brk checks), and AES-256-GCM ciphertexts decrypted with XOR-derived keys to reconstruct an HTTPS URL at runtime. It then re-execs the current Node process with a sentinel environment variable, fetches a payload to os.tmpdir(), marks it executable, and spawns it via process.execPath or /bin/sh -c. The legitimate codec sources from github.com/dahlia/byte-encodings are bundled verbatim under an unrelated publisher (zynkit <zynkit@pm.me>) while reusing the upstream homepage/repository URLs as a lure; the prelude.cjs loader is not present upstream and has been grafted on. The obfuscated loader (~280 KB) dwarfs the ~4 KB of advertised codec source. Importing this package in a developer or CI environment results in remote code execution under attacker control.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "dist/prelude.cjs",
"sha256": "d06ee17d30ebb333ab2e5b6e8a1324fcf95edaaae17b6793ec0f3647338efda1",
"tlsh": "ad54711063c5fc90214b8fb6772eb1e5ea2a1ae878540ddfd818bc51ebfa505dbe8530"
},
{
"path": "package.json",
"sha256": "07ef67bd4d86514e6ce512f6831e133f073a3b357e8698c642b5dd91abc38926",
"tlsh": "87619529c6e41d6333c469e0a45ba66aa258804b0b153f6537cd422c4f5c59f23ffede"
}
],
"package_integrity": [
{
"filename": "jwtbytes-0.5.1.tgz",
"hashes": {
"sha1": "8f79e4782479b57bd2d5d0ca6f6e538290705666",
"sha512_sri": "sha512-c5cbxuBCTtBIF8TXVpWu63di9TnCXzqsYi8XcmB7hqTFQMWs3PJ/Wi5Af9aOuR2EMO/JIUKymfDneYllakn8oA=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@zynkit/jwtbytes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"versions": [
"0.5.1",
"0.5.4",
"0.5.2",
"0.4.3",
"0.5.3"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007283",
"import_time": "2026-06-23T16:54:14.553059067Z",
"modified_time": "2026-06-23T16:22:28Z",
"sha256": "5159f8eb6f94c520a2c4b64a5e0d1261dd26b14de070d6def6aef940161e6a8f",
"source": "amazon-inspector",
"versions": [
"0.5.1"
]
},
{
"id": "IN-MAL-2026-007285",
"import_time": "2026-06-23T16:54:14.766445267Z",
"modified_time": "2026-06-23T16:22:30Z",
"sha256": "56c346069fc4ee120281c9431c9f9544452f0d67b783df08750e00faaba5251b",
"source": "amazon-inspector",
"versions": [
"0.5.4"
]
},
{
"id": "IN-MAL-2026-007282",
"import_time": "2026-06-23T16:54:14.483194574Z",
"modified_time": "2026-06-23T16:22:27Z",
"sha256": "ba47eb25bbf0e3c728fe5f954af9c015b07bc4b3d28e3a3a21055ab73a361200",
"source": "amazon-inspector",
"versions": [
"0.5.2"
]
},
{
"id": "IN-MAL-2026-007286",
"import_time": "2026-06-23T16:54:14.82875576Z",
"modified_time": "2026-06-23T16:22:30Z",
"sha256": "f0688f5e5af8942f29348988efd603a5c379c698bb6d886f2e231da902909304",
"source": "amazon-inspector",
"versions": [
"0.4.3"
]
},
{
"id": "IN-MAL-2026-007279",
"import_time": "2026-06-23T16:54:14.240137195Z",
"modified_time": "2026-06-23T16:22:25Z",
"sha256": "fb68ae44b21436638ce989a68d8c1e3ce01be3b793ec3a89c4b055a4560efb87",
"source": "amazon-inspector",
"versions": [
"0.5.3"
]
}
]
},
"details": "@zynkit/jwtbytes (malicious version 0.5.3, published by zynkit-sk393b@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern \u003cscope\u003e-\u003c6 random chars\u003e@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a JWT byte helper and ships real, working utility code (decoy base32/58/64/hex/ascii85 encoders) so it passes a glance, while bundling a much larger malicious payload at dist/prelude.cjs. package.json declares a postinstall hook (\"node dist/prelude.cjs\") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Malicious payload dist/prelude.cjs SHA-256: d06ee17d30ebb333ab2e5b6e8a1324fcf95edaaae17b6793ec0f3647338efda1.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (56c346069fc4ee120281c9431c9f9544452f0d67b783df08750e00faaba5251b)\nThe package\u0027s main entry `dist/mod.cjs` begins with `require(\u0027./prelude.cjs\u0027).runPrepare();`, so any `require(\u0027@zynkit/jwtbytes\u0027)` auto-runs a 280 KB obfuscator.io-style IIFE in `dist/prelude.cjs`. The IIFE uses an RC4+base64 string-array decoder, anti-debug traps (RegExp/setInterval, console neutralization, `--inspect`/`--inspect-brk` checks), and AES-256-GCM ciphertexts decrypted with XOR-derived keys to reconstruct an HTTPS URL at runtime. It then re-execs the current Node process with a sentinel environment variable, fetches a payload to `os.tmpdir()`, marks it executable, and spawns it via `process.execPath` or `/bin/sh -c`. The legitimate codec sources from `github.com/dahlia/byte-encodings` are bundled verbatim under an unrelated publisher (`zynkit \u003czynkit@pm.me\u003e`) while reusing the upstream homepage/repository URLs as a lure; the `prelude.cjs` loader is not present upstream and has been grafted on. The obfuscated loader (~280 KB) dwarfs the ~4 KB of advertised codec source. Importing this package in a developer or CI environment results in remote code execution under attacker control.\n",
"id": "MAL-2026-6313",
"modified": "2026-06-23T19:34:37Z",
"published": "2026-06-22T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@zynkit/jwtbytes/v/0.5.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@zynkit/jwtbytes/v/0.5.4"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@zynkit/jwtbytes/v/0.5.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@zynkit/jwtbytes/v/0.4.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@zynkit/jwtbytes/v/0.5.3"
},
{
"type": "REPORT",
"url": "https://safedep.io/wshu-net-npm-credential-stealer-campaign/"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@zynkit/jwtbytes"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @zynkit/jwtbytes (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.