malware
npm
@zynkit/jwtbytes
discovered 2026-06-23Campaign member, masquerades as a byte/JWT encoder utility (ships genuine base32/base58/base64/hex/ascii85 encoders as decoy). Version 0.5.3 ships a 282KB obfuscated downloader payload (dist/prelude.cjs) auto-executed via postinstall 'node dist/prelude.cjs'. Amazon Inspector's fuller enumeration lists 0.4.3 and 0.5.1-0.5.4 as malicious. Same execution wrapper and obfuscator template as the root lineage; build cluster C (string-array fn _0x175f, guard __38CC632841_TAG), shared with @petitcode/@tinyfox/@thymelab. Downloader -> Rust infostealer chain per Amazon Inspector.
Threat types
credential_stealer data_exfiltration persistence typosquat
Malicious versions
- 0.4.3
- 0.5.1
- 0.5.2
- 0.5.3 · a693c060bdab4354…
- 0.5.4