OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6661 confirms this npm version as malicious. Package ships a verbatim copy of the Express 'cookie-parser' middleware under a different name ('clx-cookieparser') and declares a repository field 'expressjs/clx-cookieparser' that does not exist under the expressjs GitHub organization, suggesting unauthorized association with the upstream project. The shipped code (index.js requires 'cookie' and 'cookie-signature' and re-implements cookie-parser) contains no...
Advisory
MAL-2026-6661
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in clx-cookieparser (npm)
Details
Package ships a verbatim copy of the Express 'cookie-parser' middleware under a different name ('clx-cookieparser') and declares a repository field 'expressjs/clx-cookieparser' that does not exist under the expressjs GitHub organization, suggesting unauthorized association with the upstream project. The shipped code (index.js requires 'cookie' and 'cookie-signature' and re-implements cookie-parser) contains no network I/O, no install/lifecycle scripts, no obfuscation, and no credential handling — there is no demonstrated installer-side harm. The concern is name/metadata confusion: a developer searching for or mistyping 'cookie-parser' could install this lookalike, and the false repository attribution amplifies the confusion. Routing to human review so a maintainer can assess intent (benign mirror vs. squat positioning) and registry action.
## Source: ghsa-malware (2fe4e10a5059e10daab1da62d3a625251bd2a87d1570966423f7ee26c49fff47) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms clx-cookieparser@1.4.7 as malicious (MAL-2026-6661): Malicious code in clx-cookieparser (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory