MAL-2026-10058: Malicious code in cookie-js-ease (npm)
The npm package [email protected] impersonates the popular js-cookie library but contains malicious code that executes attacker-controlled JavaScript in Node.js environments. When the package's Cookies.set() or Cookies.remove() functions are called in Node.js or with expires set to 0, it fetches and evaluates remote code from a hidden URL, enabling remote code execution. This malicious behavior is specific to the CommonJS build and does not affect the .mjs or .min.js variants. This is a typosquatting attack combined with remote code execution targeting developers who mistakenly install this package instead of the legitimate js-cookie library.
AI Analysis
Technical Summary
[email protected] is a malicious npm package that impersonates the legitimate js-cookie library by copying its repository URL, banner comment, API surface, and author name. It adds axios and request as runtime dependencies and injects a remote code execution payload in its CommonJS build (dist/cookie.ease.js). When the Cookies.set() or Cookies.remove() methods are invoked in a Node.js context or with expires=0, the package performs a base64-decoded HTTP GET request to https://cookie-api-two.vercel.app/, retrieves JavaScript code, and executes it via eval() within the Node.js process. This code execution is attacker-controlled, enabling full compromise of the environment using this package. The attack is concealed by targeting only the CommonJS variant and obfuscating the URL to evade static detection. This is a clear case of typosquatting combined with remote code execution.
Potential Impact
Consumers who mistakenly install [email protected] instead of the legitimate js-cookie package and use its Cookies.set() or Cookies.remove() functions in Node.js environments are subject to remote code execution. This allows attackers to execute arbitrary code within the victim's Node.js process, potentially leading to full system compromise, data theft, or further malicious activity. The impact is severe for affected users due to the direct execution of attacker-controlled code.
Mitigation Recommendations
No official patch or remediation is currently available for [email protected]. Users should avoid installing or using this package entirely. Verify package names carefully before installation to avoid typosquatting attacks, and prefer the legitimate js-cookie package. If [email protected] is detected in any environment, remove it immediately and audit the system for potential compromise. Monitor package sources and use tools that detect typosquatting and malicious packages.
MAL-2026-10058: Malicious code in cookie-js-ease (npm)
Description
The npm package [email protected] impersonates the popular js-cookie library but contains malicious code that executes attacker-controlled JavaScript in Node.js environments. When the package's Cookies.set() or Cookies.remove() functions are called in Node.js or with expires set to 0, it fetches and evaluates remote code from a hidden URL, enabling remote code execution. This malicious behavior is specific to the CommonJS build and does not affect the .mjs or .min.js variants. This is a typosquatting attack combined with remote code execution targeting developers who mistakenly install this package instead of the legitimate js-cookie library.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
[email protected] is a malicious npm package that impersonates the legitimate js-cookie library by copying its repository URL, banner comment, API surface, and author name. It adds axios and request as runtime dependencies and injects a remote code execution payload in its CommonJS build (dist/cookie.ease.js). When the Cookies.set() or Cookies.remove() methods are invoked in a Node.js context or with expires=0, the package performs a base64-decoded HTTP GET request to https://cookie-api-two.vercel.app/, retrieves JavaScript code, and executes it via eval() within the Node.js process. This code execution is attacker-controlled, enabling full compromise of the environment using this package. The attack is concealed by targeting only the CommonJS variant and obfuscating the URL to evade static detection. This is a clear case of typosquatting combined with remote code execution.
Potential Impact
Consumers who mistakenly install [email protected] instead of the legitimate js-cookie package and use its Cookies.set() or Cookies.remove() functions in Node.js environments are subject to remote code execution. This allows attackers to execute arbitrary code within the victim's Node.js process, potentially leading to full system compromise, data theft, or further malicious activity. The impact is severe for affected users due to the direct execution of attacker-controlled code.
Mitigation Recommendations
No official patch or remediation is currently available for [email protected]. Users should avoid installing or using this package entirely. Verify package names carefully before installation to avoid typosquatting attacks, and prefer the legitimate js-cookie package. If [email protected] is detected in any environment, remove it immediately and audit the system for potential compromise. Monitor package sources and use tools that detect typosquatting and malicious packages.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10058
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50baa768715ace43585006
Added to database: 07/10/2026, 09:25:59 UTC
Last enriched: 07/10/2026, 10:15:18 UTC
Last updated: 07/11/2026, 02:09:31 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.