Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in cookie-parser-js (npm)

cookie-parser-js

Risk score

92

AI summary

Indexed incident for cookie-parser-js (npm).

Description

cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the README (which self-identifies as cookie-parser-ease), and the expressjs repository slug. package.json declares an undocumented runtime dependency cookie-js-ease pinned to the mutable tag latest, and index.js does var Cookies = require('cookie-js-ease'); Cookies.set("", "", {expires: 0}) inside the exported cookieParser factory. The Cookies.set call passes empty key/value with expires:0 — a functional no-op whose only effect is to force load and execute the transitive dependency when a consumer requires('cookie-parser-js') and invokes the middleware. cookie-js-ease is not a known cookie library and appears fabricated to serve as the payload carrier: because it is pinned to latest, its author (controlled by the same actor) can push arbitrary code at any time, giving them code execution inside any consumer application that loads this middleware. The name-similarity to cookie-parser (a top-download express middleware) plus the borrowed identity of its real maintainers is a deliberate confusion attack targeting developers who mistype the package name.

Technical details

Affected versions

=1.4.8=1.4.9=1.5.0=1.0.8=1.5.3=1.5.2=1.5.1

Indicators

  • affected version=1.4.875%
  • affected version=1.4.975%
  • affected version=1.5.075%
  • affected version=1.0.875%
  • affected version=1.5.375%
  • affected version=1.5.275%
  • affected version=1.5.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents