`clx-cookieparser` + `clx-cookie-signature` cookie-parser impersonators — DGA-driven RAT dropper cluster (GHSA dropped 2026-06-29, updated 2026-07-01)
clx-cookieparser (7 versions 1.4.4–1.5.1) and clx-cookie-signature@1.2.1 impersonate Express's cookie-parser / cookie-signature. Both hide a dropper that XOR-derives a C2 IP from key 0x496AAC7E, then fetches and evals startup.js — no install hook, execution fires on first API call. GHSA-jpg2-3r22-63v7 / GHSA-vwwm-x6xj-cfmf, refreshed 2026-07-01.
- Detected by
- SafeDep · GitHub Advisory Database · OffSeq · Hacktron AI
- Also known as
- cookie-parser DGA dropper cluster
- Ecosystems
- npm
- Packages tracked
- 3
What happened
On 2026-06-29 GitHub's Advisory Database dropped CWE-506 (Embedded Malicious Code) advisories against two npm packages that had been sitting on the public registry since 2026-05-28: clx-cookieparser (GHSA-jpg2-3r22-63v7, versions 1.4.4 / 1.4.5 / 1.4.6 / 1.4.7 / 1.4.8 / 1.4.9 / 1.5.1) and clx-cookie-signature (GHSA-vwwm-x6xj-cfmf, 1.2.1). Both were refreshed 2026-07-01, and npm has since republished each name as a 0.0.1-security holding tarball to prevent reregistration.
Names and target
Both packages typosquat Express middleware:
clx-cookieparsermimicscookie-parser, the standard Express middleware for signed / unsigned HTTP cookie parsing (~24M weekly downloads).clx-cookie-signaturemimicscookie-signature, the small HMAC helper used to sign session cookies (~22M weekly downloads).
The clx- prefix has no legitimate meaning in the Express ecosystem; the strings look plausible enough to slip past a distracted engineer copy-pasting from a Stack Overflow snippet or accepting a Copilot autocompletion.
Novel execution vector — no install hook
What sets this cluster apart from the typical postinstall-hook malware is that neither package declares any pre- or post-install lifecycle script. Both package.json files present a faithful copy of the legitimate cookie-parser metadata, and the malicious payload sits in cookie-loader.min.js. Execution triggers when the consumer calls the documented cookie-parsing API — so the dropper only fires inside a running Express app, not inside a npm install scanner. This is exactly the pattern SafeDep's Abhisek Datta documented on the earlier express-cookie-parser predecessor (published April 22, 2025), and it defeats every install-time-only supply-chain scanner.
DGA-based C2
cookie-loader.min.js fetches a "seed" file, computes SHA256(seed), XORs each byte of the digest with the hardcoded key 0x496AAC7E, and interprets the first four bytes of the result as a dotted-quad IPv4 address. In the analyzed sample the seed comes from https://raw.githubusercontent.com/johns92/blog_app/refs/heads/main/server/.env.example and the derived C2 is 206.214.129.67. Stage 2 is a URL of the shape http://<derived-ip>/public/startup.js?ver=1.2&type=module, downloaded and executed via the local node binary. Rotating the seed hash produces a fresh IPv4 while keeping the loader identical — so blocking a single IOC IP is not sufficient.
Predecessor — express-cookie-parser (April 2025)
SafeDep first documented the pattern in April 2025 against express-cookie-parser, which shipped six malicious versions (1.4.7 through 1.4.12) in a ~24-hour window on 2025-04-22 → 2025-04-23 before being npm unpublish'd. That earlier package used the exact same cookie-loader.min.js dropper and the same hardcoded key 0x496AAC7E, strongly indicating a single operator revisiting the cookie-parser naming space with fresh brands 13 months later. express-cookie-parser never received a GHSA record (npm removed it before GitHub triaged it), but the SafeDep research is the canonical write-up of the family.
Related actor context
SafeDep's April 2025 companion post covered express-session-js (published 2026-04-01 by judebelingham), a separate express-session typosquat that fetches a ~93KB obfuscated Socket.IO RAT from a paste service to 216.126.237.71. Multiple indicators link express-session-js to the Contagious Interview / Famous Chollima npm campaign (338+ malicious packages catalogued to date). The clx-cookie* cluster reuses the DGA loader pattern but with a different stage-2 C2 IP; whether the two operators are the same group or a shared toolkit is not established in public research.
Timeline
- 2025-04-22 – 2025-04-23 —
express-cookie-parser1.4.7through1.4.12uploaded and laternpm unpublish'd; SafeDep publishes analysis of the DGA dropper. - 2026-05-28 —
clx-cookieparser1.4.4andclx-cookie-signature1.2.1first published to npm. - 2026-05-28 → 2026-06-25 —
clx-cookieparseriterates through1.4.5,1.4.6,1.4.7,1.4.8,1.4.9,1.5.1. - 2026-06-29 — GitHub Advisory Database publishes GHSA-jpg2-3r22-63v7 and GHSA-vwwm-x6xj-cfmf; npm replaces both packages with a
0.0.1-securityholding tarball. - 2026-07-01 — Both advisories refreshed; OffSeq mirrors as MAL-2026-6661.
Affected packages (3)
- npm
clx-cookie-signature1.2.1 - npm
clx-cookieparser1.4.41.4.51.4.61.4.71.4.81.4.91.5.1 - npm
express-cookie-parser1.4.71.4.81.4.91.4.101.4.111.4.12
Impact
- Any Express server that imported either package and called the cookie-parsing API executed attacker-controlled JS in the Node process context — no pre/postinstall hook meant install-time scanners missed the payload
- The DGA-derived C2 (SHA256(seed) XOR
0x496AAC7E→ IPv4) resolves to206.214.129.67for the seed hard-coded in the analyzed sample; a rotated seed hash would produce a fresh IP with the same infrastructure family, so blocking a single IP does not close the loop startup.jsis a full RAT / info-stealer stage 2 — the same operator pattern SafeDep previously documented on theexpress-cookie-parserpredecessor (five malicious versions1.4.7–1.4.12uploaded April 22–23, 2025 and laternpm unpublish'd), suggesting a long-running actor rotating package names rather than a one-off push- Both packages were live on the public registry 2026-05-28 → 2026-06-29 (32 days) before npm replaced them with
0.0.1-securityholding tarballs — production Express apps deployed inside that window may have already fetched stage 2 - Cookie-parser typosquats target very high-blast-radius middleware: any Express or Connect app that runs
require("clx-cookieparser")in place ofcookie-parserexecutes the dropper on the first incoming HTTP request
What to do
- 1Remove
clx-cookieparserandclx-cookie-signaturefrom everypackage.json, lockfile, CI image layer, and committednode_modules - 2Correct names: Express's official middleware is
cookie-parser(repoexpressjs/cookie-parser); the JWT-adjacent cookie signer iscookie-signature(repotj/node-cookie-signature) — never theclx-prefixed variants - 3If either package ever resolved on a build runner or in production: treat the host as fully compromised, rotate every credential from a separate clean device, and hunt outbound connections to
206.214.129.67(analyzed C2) plus any IPv4 with the same/16pattern in your NetFlow/DNS logs for the exposure window (2026-05-28 → 2026-06-29 for these packages; April 2025 for theexpress-cookie-parserpredecessor) - 4Also purge
express-cookie-parser(versions1.4.7–1.4.12, April 22–23, 2025) if it ever shipped — same operator, same DGA, samecookie-loader.min.jsdropper - 5Add a package-name allowlist rule so any future
clx-cookie*,express-cookie-*, orcookie-parser-*slug requires review — the naming space is now attacker-controlled - 6For runtime detection: alert on any Node.js process fetching
/public/startup.js?ver=1.2&type=modulefrom an unusual IPv4, or callingFunction.constructor(...)/eval(...)in the request path of a middleware that should be pure data manipulation
References
- SafeDepMalicious npm Package Impersonating Popular Express Cookie Parsersafedep.io
- GitHubGHSA-jpg2-3r22-63v7 — clx-cookieparser malware advisorygithub.com
- GitHubGHSA-vwwm-x6xj-cfmf — clx-cookie-signature malware advisorygithub.com
- OffSeqMAL-2026-6661: Malicious code in clx-cookieparser (npm)radar.offseq.com
- Medium / Abhisek DattaMalicious npm Package Impersonating Popular Express Cookie Parser (mirror)medium.com
- Hacktron AIclx-cookie-signature 1.2.1 vulnerability reporthacktron.ai