VDB
KO

MAL-2026-10411

Malicious code in cookie-sign (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8ad03fe65b40f317c4f3dd1d4031b1ce3942432ccbb8d794c7b94c7de8566d0f) The package presents itself as a cookie-signing / Express-middleware utility mimicking pino logger internals as cover, but its main entry spawns a detached child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the caller's entire process.env to it, and passes the HTTP response body to `new Function('require', response.data)` for immediate execution. This yields two attacker gains against the installer: exfiltration of all environment variables (which in CI/production typically hold cloud credentials, tokens, and secrets) and remote code execution in the installer's Node process using code returned by the attacker-controlled server. The C2 URL is base64-obfuscated and stored under a decoy `DEV_API_KEY` field, and the package name misrepresents its purpose.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cookie-sign

No fixed version published yet for cookie-sign (npm). Pin to a known-safe version or switch to an alternative.

References