VDB
KO

MAL-2026-10060

Malicious code in cookie-parser-js (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a) cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease'); Cookies.set("", "", {expires: 0})` inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. `cookie-js-ease` is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to `latest`, its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cookie-parser-js

No fixed version published yet for cookie-parser-js (npm). Pin to a known-safe version or switch to an alternative.

References