MAL-2026-6313

@zynkit/jwtbytes (malicious version 0.5.3, published by zynkit-sk393b@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a JWT byte helper and ships real, working utility code (decoy base32/58/64/hex/ascii85 encoders) so it passes a glance, while bundling a much larger malicious payload at dist/prelude.cjs. package.json declares a postinstall hook ("node dist/prelude.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Malicious payload dist/prelude.cjs SHA-256: d06ee17d30ebb333ab2e5b6e8a1324fcf95edaaae17b6793ec0f3647338efda1.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (56c346069fc4ee120281c9431c9f9544452f0d67b783df08750e00faaba5251b) The package's main entry `dist/mod.cjs` begins with `require('./prelude.cjs').runPrepare();`, so any `require('@zynkit/jwtbytes')` auto-runs a 280 KB obfuscator.io-style IIFE in `dist/prelude.cjs`. The IIFE uses an RC4+base64 string-array decoder, anti-debug traps (RegExp/setInterval, console neutralization, `--inspect`/`--inspect-brk` checks), and AES-256-GCM ciphertexts decrypted with XOR-derived keys to reconstruct an HTTPS URL at runtime. It then re-execs the current Node process with a sentinel environment variable, fetches a payload to `os.tmpdir()`, marks it executable, and spawns it via `process.execPath` or `/bin/sh -c`. The legitimate codec sources from `github.com/dahlia/byte-encodings` are bundled verbatim under an unrelated publisher (`zynkit <zynkit@pm.me>`) while reusing the upstream homepage/repository URLs as a lure; the `prelude.cjs` loader is not present upstream and has been grafted on. The obfuscated loader (~280 KB) dwarfs the ~4 KB of advertised codec source. Importing this package in a developer or CI environment results in remote code execution under attacker control.