-= Per source details. Do not edit below this line.=-
Package name and metadata impersonate the widely-used cookie-parser middleware: README, API surface, and package.json author (TJ Holowaychuk <tj@vision-media.ca>) and repository (expressjs/js-cookie-parser) are copied from the legitimate package, with an additional contributor jeandupontmail24@gmail.com appended. The factory in index.js lines 39-41 calls var Cookies = require('cookie-ease'); Cookies.set("", "", {expires: 0}) — cookie-ease is NOT declared in dependencies and is loaded/executed the moment a consumer wires the middleware following the README's app.use(cookieParser()) example. A second related package set-cookie-ease is declared in dependencies pinned to "latest" (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable latest pin matches the standard typosquat-dropper supply-chain attack shape.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.7"
],
"id": "IN-MAL-2026-009296",
"import_time": "2026-07-09T16:20:58.142871758Z",
"modified_time": "2026-07-09T16:19:35Z",
"sha256": "b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "a45eab993128c81350057e6207eecce97fbc49e78ac5d76147f416c9f1d89881",
"tlsh": "0d71cbd938fdb00e829b6477b4c94312b5548813209d9959b49ab6b02f8482bcfb9dd7",
"path": "index.js"
},
{
"sha256": "97f9f10fd3a1c6b4d9cd787ae96a02fdb0201f8eebedee97804c3b157af534fe",
"tlsh": "bb21ce20d08d0c6341d496a97c1851c2a156554b4952fd0cb779232c8fce6eb28be5f9",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "cookie-parser-es-1.0.7.tgz",
"hashes": {
"sha512_sri": "sha512-h+9zb0Ja71894axxENkAuATTwW4SUuEkgwEUXqnJRiS+llDpC5gj5xsp0Igk2rXq9yxJSsE1eY3e4ilLPTLuUQ==",
"sha1": "b43e13924de6309722f43929c0835fcf70002448"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cookie-parser-es/MAL-2026-10059.json"