OpenSSF/OSV advisory MAL-2026-10060 confirms this npm version as malicious. cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease');...
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cookie-parser-js (npm)
Details
cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease'); Cookies.set("", "", {expires: 0})` inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. `cookie-js-ease` is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to `latest`, its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.
Decision reason
One or more suspicious static signals were detected.