Feed
HighPublished 1 Jul 20263 packages · 14 versions

`clx-cookieparser` + `clx-cookie-signature` cookie-parser impersonators — DGA-driven RAT dropper cluster (GHSA dropped 2026-06-29, updated 2026-07-01)

Summary

clx-cookieparser (7 versions 1.4.41.5.1) and clx-cookie-signature@1.2.1 impersonate Express's cookie-parser / cookie-signature. Both hide a dropper that XOR-derives a C2 IP from key 0x496AAC7E, then fetches and evals startup.js — no install hook, execution fires on first API call. GHSA-jpg2-3r22-63v7 / GHSA-vwwm-x6xj-cfmf, refreshed 2026-07-01.

typosquatcredential-theftobfuscationdns-exfiltration
Detected by
SafeDep · GitHub Advisory Database · OffSeq · Hacktron AI
Also known as
cookie-parser DGA dropper cluster
Ecosystems
npm
Packages tracked
3

What happened

On 2026-06-29 GitHub's Advisory Database dropped CWE-506 (Embedded Malicious Code) advisories against two npm packages that had been sitting on the public registry since 2026-05-28: clx-cookieparser (GHSA-jpg2-3r22-63v7, versions 1.4.4 / 1.4.5 / 1.4.6 / 1.4.7 / 1.4.8 / 1.4.9 / 1.5.1) and clx-cookie-signature (GHSA-vwwm-x6xj-cfmf, 1.2.1). Both were refreshed 2026-07-01, and npm has since republished each name as a 0.0.1-security holding tarball to prevent reregistration.

Names and target

Both packages typosquat Express middleware:

  • clx-cookieparser mimics cookie-parser, the standard Express middleware for signed / unsigned HTTP cookie parsing (~24M weekly downloads).
  • clx-cookie-signature mimics cookie-signature, the small HMAC helper used to sign session cookies (~22M weekly downloads).

The clx- prefix has no legitimate meaning in the Express ecosystem; the strings look plausible enough to slip past a distracted engineer copy-pasting from a Stack Overflow snippet or accepting a Copilot autocompletion.

Novel execution vector — no install hook

What sets this cluster apart from the typical postinstall-hook malware is that neither package declares any pre- or post-install lifecycle script. Both package.json files present a faithful copy of the legitimate cookie-parser metadata, and the malicious payload sits in cookie-loader.min.js. Execution triggers when the consumer calls the documented cookie-parsing API — so the dropper only fires inside a running Express app, not inside a npm install scanner. This is exactly the pattern SafeDep's Abhisek Datta documented on the earlier express-cookie-parser predecessor (published April 22, 2025), and it defeats every install-time-only supply-chain scanner.

DGA-based C2

cookie-loader.min.js fetches a "seed" file, computes SHA256(seed), XORs each byte of the digest with the hardcoded key 0x496AAC7E, and interprets the first four bytes of the result as a dotted-quad IPv4 address. In the analyzed sample the seed comes from https://raw.githubusercontent.com/johns92/blog_app/refs/heads/main/server/.env.example and the derived C2 is 206.214.129.67. Stage 2 is a URL of the shape http://<derived-ip>/public/startup.js?ver=1.2&type=module, downloaded and executed via the local node binary. Rotating the seed hash produces a fresh IPv4 while keeping the loader identical — so blocking a single IOC IP is not sufficient.

Predecessor — express-cookie-parser (April 2025)

SafeDep first documented the pattern in April 2025 against express-cookie-parser, which shipped six malicious versions (1.4.7 through 1.4.12) in a ~24-hour window on 2025-04-22 → 2025-04-23 before being npm unpublish'd. That earlier package used the exact same cookie-loader.min.js dropper and the same hardcoded key 0x496AAC7E, strongly indicating a single operator revisiting the cookie-parser naming space with fresh brands 13 months later. express-cookie-parser never received a GHSA record (npm removed it before GitHub triaged it), but the SafeDep research is the canonical write-up of the family.

Related actor context

SafeDep's April 2025 companion post covered express-session-js (published 2026-04-01 by judebelingham), a separate express-session typosquat that fetches a ~93KB obfuscated Socket.IO RAT from a paste service to 216.126.237.71. Multiple indicators link express-session-js to the Contagious Interview / Famous Chollima npm campaign (338+ malicious packages catalogued to date). The clx-cookie* cluster reuses the DGA loader pattern but with a different stage-2 C2 IP; whether the two operators are the same group or a shared toolkit is not established in public research.

Timeline

  • 2025-04-22 – 2025-04-23express-cookie-parser 1.4.7 through 1.4.12 uploaded and later npm unpublish'd; SafeDep publishes analysis of the DGA dropper.
  • 2026-05-28clx-cookieparser 1.4.4 and clx-cookie-signature 1.2.1 first published to npm.
  • 2026-05-28 → 2026-06-25clx-cookieparser iterates through 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.5.1.
  • 2026-06-29 — GitHub Advisory Database publishes GHSA-jpg2-3r22-63v7 and GHSA-vwwm-x6xj-cfmf; npm replaces both packages with a 0.0.1-security holding tarball.
  • 2026-07-01 — Both advisories refreshed; OffSeq mirrors as MAL-2026-6661.

Affected packages (3)

  • npmclx-cookie-signature
    1.2.1
  • npmclx-cookieparser
    1.4.41.4.51.4.61.4.71.4.81.4.91.5.1
  • npmexpress-cookie-parser
    1.4.71.4.81.4.91.4.101.4.111.4.12

Impact

  • Any Express server that imported either package and called the cookie-parsing API executed attacker-controlled JS in the Node process context — no pre/postinstall hook meant install-time scanners missed the payload
  • The DGA-derived C2 (SHA256(seed) XOR 0x496AAC7E → IPv4) resolves to 206.214.129.67 for the seed hard-coded in the analyzed sample; a rotated seed hash would produce a fresh IP with the same infrastructure family, so blocking a single IP does not close the loop
  • startup.js is a full RAT / info-stealer stage 2 — the same operator pattern SafeDep previously documented on the express-cookie-parser predecessor (five malicious versions 1.4.71.4.12 uploaded April 22–23, 2025 and later npm unpublish'd), suggesting a long-running actor rotating package names rather than a one-off push
  • Both packages were live on the public registry 2026-05-28 → 2026-06-29 (32 days) before npm replaced them with 0.0.1-security holding tarballs — production Express apps deployed inside that window may have already fetched stage 2
  • Cookie-parser typosquats target very high-blast-radius middleware: any Express or Connect app that runs require("clx-cookieparser") in place of cookie-parser executes the dropper on the first incoming HTTP request

What to do

  1. 1Remove clx-cookieparser and clx-cookie-signature from every package.json, lockfile, CI image layer, and committed node_modules
  2. 2Correct names: Express's official middleware is cookie-parser (repo expressjs/cookie-parser); the JWT-adjacent cookie signer is cookie-signature (repo tj/node-cookie-signature) — never the clx- prefixed variants
  3. 3If either package ever resolved on a build runner or in production: treat the host as fully compromised, rotate every credential from a separate clean device, and hunt outbound connections to 206.214.129.67 (analyzed C2) plus any IPv4 with the same /16 pattern in your NetFlow/DNS logs for the exposure window (2026-05-28 → 2026-06-29 for these packages; April 2025 for the express-cookie-parser predecessor)
  4. 4Also purge express-cookie-parser (versions 1.4.71.4.12, April 22–23, 2025) if it ever shipped — same operator, same DGA, same cookie-loader.min.js dropper
  5. 5Add a package-name allowlist rule so any future clx-cookie*, express-cookie-*, or cookie-parser-* slug requires review — the naming space is now attacker-controlled
  6. 6For runtime detection: alert on any Node.js process fetching /public/startup.js?ver=1.2&type=module from an unusual IPv4, or calling Function.constructor(...) / eval(...) in the request path of a middleware that should be pure data manipulation

References

npm-2026-07-01-clx-cookie-dga-dropper