MAL-2026-10411: Malicious code in cookie-sign (npm)
The npm package 'cookie-sign' version 2.3.5 is a malicious package masquerading as a cookie-signing utility. Upon installation, it spawns a detached child process that decodes a hardcoded URL and sends the installer's entire environment variables to this attacker-controlled server. The server responds with code that is immediately executed in the installer's Node.js process, enabling remote code execution and exfiltration of sensitive environment data such as cloud credentials and tokens. The malicious URL is obfuscated and hidden under a decoy environment variable name. This package misrepresents its functionality to evade detection.
AI Analysis
Technical Summary
The 'cookie-sign' npm package version 2.3.5 contains embedded malicious code that, during installation, spawns a detached child process running a script which base64-decodes a hardcoded command-and-control URL. This script POSTs the entire process environment variables to the attacker-controlled endpoint and executes the returned JavaScript code dynamically via the Function constructor, enabling remote code execution in the installer's Node.js environment. This results in exfiltration of sensitive environment variables and arbitrary code execution. The malicious URL is concealed under a decoy environment variable named 'DEV_API_KEY', and the package name is deceptive, purporting to be a cookie-signing or Express middleware utility.
Potential Impact
Successful installation of this package leads to exfiltration of all environment variables from the victim's process, potentially exposing cloud credentials, tokens, and secrets commonly stored in CI or production environments. Additionally, the attacker gains the ability to execute arbitrary code remotely within the victim's Node.js process, posing a severe risk of system compromise and further malicious activity.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the 'cookie-sign' package version 2.3.5. Verify package authenticity before installation and consider using trusted package sources or alternatives. Monitor for any updates or advisories from npm or security vendors regarding this package. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
MAL-2026-10411: Malicious code in cookie-sign (npm)
Description
The npm package 'cookie-sign' version 2.3.5 is a malicious package masquerading as a cookie-signing utility. Upon installation, it spawns a detached child process that decodes a hardcoded URL and sends the installer's entire environment variables to this attacker-controlled server. The server responds with code that is immediately executed in the installer's Node.js process, enabling remote code execution and exfiltration of sensitive environment data such as cloud credentials and tokens. The malicious URL is obfuscated and hidden under a decoy environment variable name. This package misrepresents its functionality to evade detection.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'cookie-sign' npm package version 2.3.5 contains embedded malicious code that, during installation, spawns a detached child process running a script which base64-decodes a hardcoded command-and-control URL. This script POSTs the entire process environment variables to the attacker-controlled endpoint and executes the returned JavaScript code dynamically via the Function constructor, enabling remote code execution in the installer's Node.js environment. This results in exfiltration of sensitive environment variables and arbitrary code execution. The malicious URL is concealed under a decoy environment variable named 'DEV_API_KEY', and the package name is deceptive, purporting to be a cookie-signing or Express middleware utility.
Potential Impact
Successful installation of this package leads to exfiltration of all environment variables from the victim's process, potentially exposing cloud credentials, tokens, and secrets commonly stored in CI or production environments. Additionally, the attacker gains the ability to execute arbitrary code remotely within the victim's Node.js process, posing a severe risk of system compromise and further malicious activity.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the 'cookie-sign' package version 2.3.5. Verify package authenticity before installation and consider using trusted package sources or alternatives. Monitor for any updates or advisories from npm or security vendors regarding this package. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10411
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ada068715ace438f3df7
Added to database: 07/13/2026, 09:19:28 UTC
Last enriched: 07/13/2026, 09:28:22 UTC
Last updated: 07/13/2026, 09:28:22 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.