MAL-2026-10410: Malicious code in cookie-phase (npm)
The npm package 'cookie-phase' version 2.3.5 is a malicious dropper impersonating the popular 'pino' logger. When imported and executed as middleware, it spawns a detached Node.js child process that contacts a remote command-and-control server via a base64-obfuscated URL. The response from this server is executed dynamically with full Node.js require access, allowing arbitrary code execution on the host. This behavior targets developer and build environments that mistakenly install this package expecting the legitimate 'pino' logger.
AI Analysis
Technical Summary
The 'cookie-phase' npm package (version 2.3.5) masquerades as the well-known 'pino' logger by mimicking its exports and README badges but is unrelated in metadata. Upon invocation, it launches a detached Node.js child process running 'lib/initializeCaller.js' which decodes a base64-encoded URL pointing to a remote endpoint under 'ipcheck-hashed.vercel.app'. It sends a POST request to this endpoint using axios and executes the returned JavaScript code via 'new Function', passing in the Node.js 'require' function. This grants the remote server arbitrary code execution capabilities on the host environment, compromising developer and build systems that install this package under the false assumption it is the legitimate 'pino' logger.
Potential Impact
This malicious package enables remote attackers controlling the C2 server to execute arbitrary code with full Node.js require access on any system that installs and runs the affected version. This can lead to complete system compromise, data theft, or further malware deployment. The threat specifically targets developer and build environments by impersonating a trusted logging library, increasing the risk of supply chain compromise.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove the 'cookie-phase' package version 2.3.5 from their projects and replace any usage of this package with the legitimate 'pino' logger. Avoid installing packages with suspicious metadata or names that impersonate popular libraries. Monitor dependency sources carefully and verify package authenticity before installation. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
MAL-2026-10410: Malicious code in cookie-phase (npm)
Description
The npm package 'cookie-phase' version 2.3.5 is a malicious dropper impersonating the popular 'pino' logger. When imported and executed as middleware, it spawns a detached Node.js child process that contacts a remote command-and-control server via a base64-obfuscated URL. The response from this server is executed dynamically with full Node.js require access, allowing arbitrary code execution on the host. This behavior targets developer and build environments that mistakenly install this package expecting the legitimate 'pino' logger.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'cookie-phase' npm package (version 2.3.5) masquerades as the well-known 'pino' logger by mimicking its exports and README badges but is unrelated in metadata. Upon invocation, it launches a detached Node.js child process running 'lib/initializeCaller.js' which decodes a base64-encoded URL pointing to a remote endpoint under 'ipcheck-hashed.vercel.app'. It sends a POST request to this endpoint using axios and executes the returned JavaScript code via 'new Function', passing in the Node.js 'require' function. This grants the remote server arbitrary code execution capabilities on the host environment, compromising developer and build systems that install this package under the false assumption it is the legitimate 'pino' logger.
Potential Impact
This malicious package enables remote attackers controlling the C2 server to execute arbitrary code with full Node.js require access on any system that installs and runs the affected version. This can lead to complete system compromise, data theft, or further malware deployment. The threat specifically targets developer and build environments by impersonating a trusted logging library, increasing the risk of supply chain compromise.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove the 'cookie-phase' package version 2.3.5 from their projects and replace any usage of this package with the legitimate 'pino' logger. Avoid installing packages with suspicious metadata or names that impersonate popular libraries. Monitor dependency sources carefully and verify package authenticity before installation. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10410
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ada068715ace438f3df4
Added to database: 07/13/2026, 09:19:28 UTC
Last enriched: 07/13/2026, 09:28:15 UTC
Last updated: 07/13/2026, 09:28:15 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.