MAL-2026-10059
Malicious code in cookie-parser-es (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1) Package name and metadata impersonate the widely-used `cookie-parser` middleware: README, API surface, and `package.json` author (`TJ Holowaychuk <tj@vision-media.ca>`) and repository (`expressjs/js-cookie-parser`) are copied from the legitimate package, with an additional contributor `jeandupontmail24@gmail.com` appended. The factory in `index.js` lines 39-41 calls `var Cookies = require('cookie-ease'); Cookies.set("", "", {expires: 0})` — `cookie-ease` is NOT declared in `dependencies` and is loaded/executed the moment a consumer wires the middleware following the README's `app.use(cookieParser())` example. A second related package `set-cookie-ease` is declared in `dependencies` pinned to `"latest"` (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable `latest` pin matches the standard typosquat-dropper supply-chain attack shape.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for cookie-parser-es (npm). Pin to a known-safe version or switch to an alternative.