MAL-2026-10059

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cookie-parser-es/MAL-2026-10059.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10059
Published
2026-07-09T16:19:35Z
Modified
2026-07-09T16:31:56.957045440Z
Summary
Malicious code in cookie-parser-es (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1)

Package name and metadata impersonate the widely-used cookie-parser middleware: README, API surface, and package.json author (TJ Holowaychuk <tj@vision-media.ca>) and repository (expressjs/js-cookie-parser) are copied from the legitimate package, with an additional contributor jeandupontmail24@gmail.com appended. The factory in index.js lines 39-41 calls var Cookies = require('cookie-ease'); Cookies.set("", "", {expires: 0})cookie-ease is NOT declared in dependencies and is loaded/executed the moment a consumer wires the middleware following the README's app.use(cookieParser()) example. A second related package set-cookie-ease is declared in dependencies pinned to "latest" (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable latest pin matches the standard typosquat-dropper supply-chain attack shape.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.7"
            ],
            "id": "IN-MAL-2026-009296",
            "import_time": "2026-07-09T16:20:58.142871758Z",
            "modified_time": "2026-07-09T16:19:35Z",
            "sha256": "b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / cookie-parser-es

Package

Affected ranges

Affected versions

1.*
1.0.7

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "a45eab993128c81350057e6207eecce97fbc49e78ac5d76147f416c9f1d89881",
            "tlsh": "0d71cbd938fdb00e829b6477b4c94312b5548813209d9959b49ab6b02f8482bcfb9dd7",
            "path": "index.js"
        },
        {
            "sha256": "97f9f10fd3a1c6b4d9cd787ae96a02fdb0201f8eebedee97804c3b157af534fe",
            "tlsh": "bb21ce20d08d0c6341d496a97c1851c2a156554b4952fd0cb779232c8fce6eb28be5f9",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "cookie-parser-es-1.0.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-h+9zb0Ja71894axxENkAuATTwW4SUuEkgwEUXqnJRiS+llDpC5gj5xsp0Igk2rXq9yxJSsE1eY3e4ilLPTLuUQ==",
                "sha1": "b43e13924de6309722f43929c0835fcf70002448"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cookie-parser-es/MAL-2026-10059.json"