MAL-2026-10060

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cookie-parser-js/MAL-2026-10060.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10060
Published
2026-07-09T16:19:27Z
Modified
2026-07-10T17:17:01.901827297Z
Summary
Malicious code in cookie-parser-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a)

cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency cookie-js-ease pinned to the mutable tag latest, and index.js does var Cookies = require('cookie-js-ease'); Cookies.set("", "", {expires: 0}) inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. cookie-js-ease is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to latest, its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.4.8"
            ],
            "id": "IN-MAL-2026-009299",
            "modified_time": "2026-07-09T16:20:02Z",
            "sha256": "17fefe6ee6bd8b2724a609aee2957f0d486e3a497f8df274acd6267fd10cda4e",
            "import_time": "2026-07-09T16:20:58.322753515Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.4.9"
            ],
            "id": "IN-MAL-2026-009295",
            "import_time": "2026-07-09T16:20:58.094754028Z",
            "sha256": "4286341b29814d2b1c35a1107d2097f2a66f11784da088b99a9bffc4b58d4814",
            "modified_time": "2026-07-09T16:19:27Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.5.0"
            ],
            "id": "IN-MAL-2026-009298",
            "modified_time": "2026-07-09T16:19:54Z",
            "import_time": "2026-07-09T16:20:58.277625246Z",
            "sha256": "8f5cbe73e97166cefb452a32b6d70349d19dd5f06b7ef11ae8af64fac38e79cd",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "id": "IN-MAL-2026-009297",
            "modified_time": "2026-07-09T16:19:44Z",
            "sha256": "c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a",
            "import_time": "2026-07-09T16:20:58.226809007Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "4ba13cf38f0cd4dfcedcaa67358456ec53ba977569b900efd44cf9e8bcef977b",
            "id": "IN-MAL-2026-009614",
            "import_time": "2026-07-10T15:23:37.199491218Z",
            "modified_time": "2026-07-10T15:19:29Z",
            "versions": [
                "1.5.3"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.5.2"
            ],
            "id": "IN-MAL-2026-009660",
            "import_time": "2026-07-10T17:10:15.45953757Z",
            "modified_time": "2026-07-10T16:52:52Z",
            "sha256": "bf2e14ed3707b1c1c1aa2b77aa18698d6ee3703b5d7fabd27c3539b98bbf62dc",
            "source": "amazon-inspector"
        },
        {
            "sha256": "65a323b85243ef74664277d16295b3ceac30c46eadb63eba16e7c2528f8180dc",
            "id": "IN-MAL-2026-009659",
            "import_time": "2026-07-10T17:10:15.394038922Z",
            "modified_time": "2026-07-10T16:52:44Z",
            "versions": [
                "1.5.1"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / cookie-parser-js

Package

Affected ranges

Affected versions

1.*
1.0.8
1.4.8
1.4.9
1.5.0
1.5.1
1.5.2
1.5.3

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "2c3db93f4928c9bac11a078c4279d6f964e2f4488f36f8b5b7e3a115bffcbb37",
            "tlsh": "7371fdd938fdb00e828b6477b4cd5313b6548813209d9959b4dab6b02f8482bcfb9dc7",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "cookie-parser-js-1.4.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-sDt+r8LYNKR3lzAUgBzbTRtpgIz2VwfgzfsxqUUuqMeYTZ3rxbDAlrrzAW/4tDdnKpNqgy3ECKdT41K2BByD6w==",
                "sha1": "b2f00599b6cb6c0e86df14c21d4f5c1a74083606"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cookie-parser-js/MAL-2026-10060.json"