{"id":"MAL-2026-10059","summary":"Malicious code in cookie-parser-es (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1)\nPackage name and metadata impersonate the widely-used `cookie-parser` middleware: README, API surface, and `package.json` author (`TJ Holowaychuk \u003ctj@vision-media.ca\u003e`) and repository (`expressjs/js-cookie-parser`) are copied from the legitimate package, with an additional contributor `jeandupontmail24@gmail.com` appended. The factory in `index.js` lines 39-41 calls `var Cookies = require('cookie-ease'); Cookies.set(\"\", \"\", {expires: 0})` — `cookie-ease` is NOT declared in `dependencies` and is loaded/executed the moment a consumer wires the middleware following the README's `app.use(cookieParser())` example. A second related package `set-cookie-ease` is declared in `dependencies` pinned to `\"latest\"` (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable `latest` pin matches the standard typosquat-dropper supply-chain attack shape.\n","modified":"2026-07-09T16:31:56.957045440Z","published":"2026-07-09T16:19:35Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.7"],"modified_time":"2026-07-09T16:19:35Z","sha256":"b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1","source":"amazon-inspector","import_time":"2026-07-09T16:20:58.142871758Z","id":"IN-MAL-2026-009296"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-es/v/1.0.7"}],"affected":[{"package":{"name":"cookie-parser-es","ecosystem":"npm","purl":"pkg:npm/cookie-parser-es"},"versions":["1.0.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cookie-parser-es/MAL-2026-10059.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"index.js","sha256":"a45eab993128c81350057e6207eecce97fbc49e78ac5d76147f416c9f1d89881","tlsh":"0d71cbd938fdb00e829b6477b4c94312b5548813209d9959b49ab6b02f8482bcfb9dd7"},{"path":"package.json","sha256":"97f9f10fd3a1c6b4d9cd787ae96a02fdb0201f8eebedee97804c3b157af534fe","tlsh":"bb21ce20d08d0c6341d496a97c1851c2a156554b4952fd0cb779232c8fce6eb28be5f9"}],"package_integrity":[{"filename":"cookie-parser-es-1.0.7.tgz","hashes":{"sha512_sri":"sha512-h+9zb0Ja71894axxENkAuATTwW4SUuEkgwEUXqnJRiS+llDpC5gj5xsp0Igk2rXq9yxJSsE1eY3e4ilLPTLuUQ==","sha1":"b43e13924de6309722f43929c0835fcf70002448"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}