cookie-parser-legacy @1.5.4

Summary

Package name and README impersonate the well-known cookie-parser Express middleware. The source is a near-verbatim copy of cookie-parser, except the legitimate cookie-signature dependency has been replaced with an unknown package moustick pinned to the mutable latest tag (package.json: "moustick": "latest" ). index.js requires moustick as signature and invokes signature.unsign(str.slice(2), secrets[i]) at request time on user-supplied cookie values, executing whatever code moustick currently publishes against installer-side cookie secrets and signed values. index.js additionally imports execSync from child_process at the top of the file with no reference anywhere in the cookie-parsing logic — an unusual staging artifact for a pure parsing module. The combination of name-impersonation of a top-tier middleware, silent substitution of a security-critical dependency, and pinning that substitute to a mutable tag means any installer who picks this up thinking it is cookie-parser will resolve and execute arbitrary third-party code controlled by the moustick publisher on every install.

Source: amazon-inspector (53a673e0454bb102d4e8456e3c26290196c5ae5bf4cf9438ce78f8286fd5c3be)