cookie-parser-es @1.0.7
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10059
Ecosystem
npm
Summary
Package name and metadata impersonate the widely-used cookie-parser middleware: README, API surface, and package.json author ( TJ Holowaychuk <tj@vision-media.ca> ) and repository ( expressjs/js-cookie-parser ) are copied from the legitimate package, with an additional contributor jeandupontmail24@gmail.com appended. The factory in index.js lines 39-41 calls var Cookies = require('cookie-ease'); Cookies.set("", "", {expires: 0}) — cookie-ease is NOT declared in dependencies and is loaded/executed the moment a consumer wires the middleware following the README's app.use(cookieParser()) example. A second related package set-cookie-ease is declared in dependencies pinned to "latest" (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable latest pin matches the standard typosquat-dropper supply-chain attack shape.
Source: amazon-inspector (b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.