clx-cookieparser @1.5.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-6661
Ecosystem
npm
Summary
Package ships a verbatim copy of the Express 'cookie-parser' middleware under a different name ('clx-cookieparser') and declares a repository field 'expressjs/clx-cookieparser' that does not exist under the expressjs GitHub organization, suggesting unauthorized association with the upstream project. The shipped code (index.js requires 'cookie' and 'cookie-signature' and re-implements cookie-parser) contains no network I/O, no install/lifecycle scripts, no obfuscation, and no credential handling — there is no demonstrated installer-side harm. The concern is name/metadata confusion: a developer searching for or mistyping 'cookie-parser' could install this lookalike, and the false repository attribution amplifies the confusion. Routing to human review so a maintainer can assess intent (benign mirror vs. squat positioning) and registry action.
Source: amazon-inspector (29b7ab13cd76393ea58b540ccf13b4ab4660edb4fac210d86a67e51b45fa1d0c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.