On require('jwtmode'), decode.js immediately invokes getThirdCookie(), which performs an HTTP GET to https://jsonkeeper.com/b/AZ9ZF, takes the response field response.data.errCode, passes it to new Function.constructor('require', errCode), and invokes the resulting function with the real Node require. This is unconditional remote code execution at import time from a mutable, attacker-controlled paste host, with full Node capability (filesystem, network, child_process) via require. The package additionally impersonates auth0's jsonwebtoken: it is named jwtmode, declares author: auth0, points its repository field at a non-existent github.com/auth0/node-jwtmode, and re-exports jsonwebtoken's public API surface (decode, JsonWebTokenError, NotBeforeError, TokenExpiredError) — a brand-impersonation lure to trick developers into installing it instead of jsonwebtoken. Any project that requires jwtmode will execute whatever JavaScript the operator of jsonkeeper.com/b/AZ9ZF chooses to serve at that moment.