{"id":"MAL-2026-10060","summary":"Malicious code in cookie-parser-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a)\ncookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease'); Cookies.set(\"\", \"\", {expires: 0})` inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. `cookie-js-ease` is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to `latest`, its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.\n","modified":"2026-07-10T17:17:01.901827297Z","published":"2026-07-09T16:19:27Z","database_specific":{"malicious-packages-origins":[{"sha256":"17fefe6ee6bd8b2724a609aee2957f0d486e3a497f8df274acd6267fd10cda4e","versions":["1.4.8"],"modified_time":"2026-07-09T16:20:02Z","id":"IN-MAL-2026-009299","import_time":"2026-07-09T16:20:58.322753515Z","source":"amazon-inspector"},{"sha256":"4286341b29814d2b1c35a1107d2097f2a66f11784da088b99a9bffc4b58d4814","versions":["1.4.9"],"modified_time":"2026-07-09T16:19:27Z","id":"IN-MAL-2026-009295","import_time":"2026-07-09T16:20:58.094754028Z","source":"amazon-inspector"},{"sha256":"8f5cbe73e97166cefb452a32b6d70349d19dd5f06b7ef11ae8af64fac38e79cd","versions":["1.5.0"],"modified_time":"2026-07-09T16:19:54Z","id":"IN-MAL-2026-009298","import_time":"2026-07-09T16:20:58.277625246Z","source":"amazon-inspector"},{"sha256":"c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a","versions":["1.0.8"],"modified_time":"2026-07-09T16:19:44Z","id":"IN-MAL-2026-009297","import_time":"2026-07-09T16:20:58.226809007Z","source":"amazon-inspector"},{"versions":["1.5.3"],"sha256":"4ba13cf38f0cd4dfcedcaa67358456ec53ba977569b900efd44cf9e8bcef977b","modified_time":"2026-07-10T15:19:29Z","id":"IN-MAL-2026-009614","import_time":"2026-07-10T15:23:37.199491218Z","source":"amazon-inspector"},{"sha256":"bf2e14ed3707b1c1c1aa2b77aa18698d6ee3703b5d7fabd27c3539b98bbf62dc","versions":["1.5.2"],"modified_time":"2026-07-10T16:52:52Z","id":"IN-MAL-2026-009660","import_time":"2026-07-10T17:10:15.45953757Z","source":"amazon-inspector"},{"versions":["1.5.1"],"sha256":"65a323b85243ef74664277d16295b3ceac30c46eadb63eba16e7c2528f8180dc","modified_time":"2026-07-10T16:52:44Z","id":"IN-MAL-2026-009659","import_time":"2026-07-10T17:10:15.394038922Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-js/v/1.4.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-js/v/1.4.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-js/v/1.5.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-js/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-js/v/1.5.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-js/v/1.5.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cookie-parser-js/v/1.5.1"}],"affected":[{"package":{"name":"cookie-parser-js","ecosystem":"npm","purl":"pkg:npm/cookie-parser-js"},"versions":["1.4.8","1.4.9","1.5.0","1.0.8","1.5.3","1.5.2","1.5.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cookie-parser-js/MAL-2026-10060.json","indicators":{"package_integrity":[{"filename":"cookie-parser-js-1.4.8.tgz","hashes":{"sha1":"b2f00599b6cb6c0e86df14c21d4f5c1a74083606","sha512_sri":"sha512-sDt+r8LYNKR3lzAUgBzbTRtpgIz2VwfgzfsxqUUuqMeYTZ3rxbDAlrrzAW/4tDdnKpNqgy3ECKdT41K2BByD6w=="}}],"evidence_files":[{"sha256":"2c3db93f4928c9bac11a078c4279d6f964e2f4488f36f8b5b7e3a115bffcbb37","tlsh":"7371fdd938fdb00e828b6477b4cd5313b6548813209d9959b4dab6b02f8482bcfb9dc7","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}