npm

cookie-parser-js @1.5.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10060

Ecosystem

npm

Summary

cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency cookie-js-ease pinned to the mutable tag latest , and index.js does var Cookies = require('cookie-js-ease'); Cookies.set("", "", {expires: 0}) inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. cookie-js-ease is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to latest , its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.

Source: amazon-inspector (c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.