MAL-2026-10411
Malicious code in cookie-sign (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8ad03fe65b40f317c4f3dd1d4031b1ce3942432ccbb8d794c7b94c7de8566d0f) The package presents itself as a cookie-signing / Express-middleware utility mimicking pino logger internals as cover, but its main entry spawns a detached child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the caller's entire process.env to it, and passes the HTTP response body to `new Function('require', response.data)` for immediate execution. This yields two attacker gains against the installer: exfiltration of all environment variables (which in CI/production typically hold cloud credentials, tokens, and secrets) and remote code execution in the installer's Node process using code returned by the attacker-controlled server. The C2 URL is base64-obfuscated and stored under a decoy `DEV_API_KEY` field, and the package name misrepresents its purpose.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for cookie-sign (npm). Pin to a known-safe version or switch to an alternative.