VDB
KO

MAL-2026-10059

Malicious code in cookie-parser-es (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1) Package name and metadata impersonate the widely-used `cookie-parser` middleware: README, API surface, and `package.json` author (`TJ Holowaychuk <tj@vision-media.ca>`) and repository (`expressjs/js-cookie-parser`) are copied from the legitimate package, with an additional contributor `jeandupontmail24@gmail.com` appended. The factory in `index.js` lines 39-41 calls `var Cookies = require('cookie-ease'); Cookies.set("", "", {expires: 0})` — `cookie-ease` is NOT declared in `dependencies` and is loaded/executed the moment a consumer wires the middleware following the README's `app.use(cookieParser())` example. A second related package `set-cookie-ease` is declared in `dependencies` pinned to `"latest"` (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable `latest` pin matches the standard typosquat-dropper supply-chain attack shape.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cookie-parser-es

No fixed version published yet for cookie-parser-es (npm). Pin to a known-safe version or switch to an alternative.

References