VYPR

npm · Malicious package advisory

Malware

cookie-parser-es

MAL-2026-10059

Malicious code in cookie-parser-es (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1)
Package name and metadata impersonate the widely-used `cookie-parser` middleware: README, API surface, and `package.json` author (`TJ Holowaychuk <tj@vision-media.ca>`) and repository (`expressjs/js-cookie-parser`) are copied from the legitimate package, with an additional contributor `jeandupontmail24@gmail.com` appended. The factory in `index.js` lines 39-41 calls `var Cookies = require('cookie-ease'); Cookies.set("", "", {expires: 0})` — `cookie-ease` is NOT declared in `dependencies` and is loaded/executed the moment a consumer wires the middleware following the README's `app.use(cookieParser())` example. A second related package `set-cookie-ease` is declared in `dependencies` pinned to `"latest"` (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable `latest` pin matches the standard typosquat-dropper supply-chain attack shape.

Compromised versions (1)

  • 1.0.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.