npm

cookie-sign @2.3.5

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10411

Ecosystem

npm

Summary

The package presents itself as a cookie-signing / Express-middleware utility mimicking pino logger internals as cover, but its main entry spawns a detached child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the caller's entire process.env to it, and passes the HTTP response body to new Function('require', response.data) for immediate execution. This yields two attacker gains against the installer: exfiltration of all environment variables (which in CI/production typically hold cloud credentials, tokens, and secrets) and remote code execution in the installer's Node process using code returned by the attacker-controlled server. The C2 URL is base64-obfuscated and stored under a decoy DEV_API_KEY field, and the package name misrepresents its purpose.

Source: amazon-inspector (8ad03fe65b40f317c4f3dd1d4031b1ce3942432ccbb8d794c7b94c7de8566d0f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.