registry  /  cookie-parser-legacy  /  1.5.4

cookie-parser-legacy@1.5.4

OSV Malicious Advisory

scanned 9d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5346 confirms this npm version as malicious. Package name and README impersonate the well-known `cookie-parser` Express middleware. The source is a near-verbatim copy of cookie-parser, except the legitimate `cookie-signature` dependency has been replaced with an unknown package `moustick` pinned to the mutable `latest` tag (package.json: `"moustick": "latest"`). index.js requires `moustick` as `signature` and invokes `signature.unsign(str.slice(2),...

Advisory
MAL-2026-5346
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cookie-parser-legacy (npm)
Details
Package name and README impersonate the well-known `cookie-parser` Express middleware. The source is a near-verbatim copy of cookie-parser, except the legitimate `cookie-signature` dependency has been replaced with an unknown package `moustick` pinned to the mutable `latest` tag (package.json: `"moustick": "latest"`). index.js requires `moustick` as `signature` and invokes `signature.unsign(str.slice(2), secrets[i])` at request time on user-supplied cookie values, executing whatever code `moustick` currently publishes against installer-side cookie secrets and signed values. index.js additionally imports `execSync` from `child_process` at the top of the file with no reference anywhere in the cookie-parsing logic — an unusual staging artifact for a pure parsing module. The combination of name-impersonation of a top-tier middleware, silent substitution of a security-critical dependency, and pinning that substitute to a mutable tag means any installer who picks this up thinking it is `cookie-parser` will resolve and execute arbitrary third-party code controlled by the `moustick` publisher on every install. ## Source: ghsa-malware (1b0e373057d636dbc4939fdb3e1f8cda1276c8bb88ae02f5ed156244e12fdb91) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms cookie-parser-legacy@1.5.4 as malicious (MAL-2026-5346): Malicious code in cookie-parser-legacy (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory