OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10060 confirms this npm version as malicious. cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease');...
Advisory
MAL-2026-10060
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cookie-parser-js (npm)
Details
cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease'); Cookies.set("", "", {expires: 0})` inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. `cookie-js-ease` is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to `latest`, its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.
Decision reason
OpenSSF Malicious Packages via OSV confirms cookie-parser-js@1.0.8 as malicious (MAL-2026-10060): Malicious code in cookie-parser-js (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory