jsonwebtoken

registrynpm

package namejsonwebtoken

maintainerAuth0 / Okta

jsonwebtoken is the most widely used Node.js library for creating and verifying JSON Web Tokens. It signs tokens using HMAC secrets or RSA/EC private keys and verifies them with the corresponding secret or public key. Most Node.js REST APIs use this package to issue and validate session tokens.

api usage

Checking jsonwebtoken

jsonwebtoken 9.0.2 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=jsonwebtoken&version=9.0.2" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "jsonwebtoken",
  "version": "9.0.2",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

JWT libraries handle signing secrets and private keys directly. A backdoored version can exfiltrate the signing secret, allowing an attacker to forge arbitrary valid tokens for any user in the system without additional access.

Attestd monitors jsonwebtoken using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages Passport.js bcryptjs Express Response fields