jwt-token-validator

SUSPICIOUS: the stated purpose is simple JWT-validation assistance, but the actual footprint includes broad npm-backed shell execution and file write capability with no concrete need, package pinning, or verified same-org toolchain. No direct malware or exfiltration is shown, but the permissions are wider than the documented function.