registry  /  cookie-parser-es  /  1.0.7

cookie-parser-es@1.0.7

Parse HTTP request cookies

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10059 confirms this npm version as malicious. Package name and metadata impersonate the widely-used `cookie-parser` middleware: README, API surface, and `package.json` author (`TJ Holowaychuk <tj@vision-media.ca>`) and repository (`expressjs/js-cookie-parser`) are copied from the legitimate package, with an additional contributor `jeandupontmail24@gmail.com` appended. The factory in `index.js` lines 39-41 calls `var Cookies = require('cookie-ease');...

Advisory
MAL-2026-10059
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cookie-parser-es (npm)
Details
Package name and metadata impersonate the widely-used `cookie-parser` middleware: README, API surface, and `package.json` author (`TJ Holowaychuk <tj@vision-media.ca>`) and repository (`expressjs/js-cookie-parser`) are copied from the legitimate package, with an additional contributor `jeandupontmail24@gmail.com` appended. The factory in `index.js` lines 39-41 calls `var Cookies = require('cookie-ease'); Cookies.set("", "", {expires: 0})` — `cookie-ease` is NOT declared in `dependencies` and is loaded/executed the moment a consumer wires the middleware following the README's `app.use(cookieParser())` example. A second related package `set-cookie-ease` is declared in `dependencies` pinned to `"latest"` (mutable), allowing the maintainer to swap the executed payload after registry scans pass. The combination of name confusion against a top-100 npm package, identity impersonation of a well-known author, runtime loading of an undeclared sister package, and a mutable `latest` pin matches the standard typosquat-dropper supply-chain attack shape.
Decision reason
OpenSSF Malicious Packages via OSV confirms cookie-parser-es@1.0.7 as malicious (MAL-2026-10059): Malicious code in cookie-parser-es (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory