The set-cookie-ease npm package version 1.1.5 impersonates the legitimate js-cookie library but diverges in its implementation by including malicious code that triggers remote code execution in Node.js or SSR environments. Specifically, when Cookies.set is called with expires: 0 or when the global document object is undefined, the package fetches and executes attacker-controlled JavaScript from a mutable public JSON bin. This design allows the attacker to change the payload at any time, resulting in arbitrary code execution with full privileges on the host system. The package also adds axios and request dependencies contrary to its README claims, confirming its malicious intent. This is a clear case of a typosquatting attack with concrete installer harm.

Exploitation of this package leads to remote code execution on the host running Node.js or server-side rendering frameworks such as Next.js, Nuxt, or Remix. The attacker can execute arbitrary JavaScript code with full privileges, potentially compromising the entire system. The malicious payload is dynamically fetched from a public mutable JSON bin, allowing the attacker to change the code executed at any time. This poses a severe risk to any project that installs and uses this package in vulnerable contexts.

No official patch or remediation is currently available. Users should immediately remove set-cookie-ease version 1.1.5 from their dependencies and replace it with the legitimate js-cookie package or another trusted alternative. Avoid using packages that are typosquatting or have suspicious dependencies. Monitor dependency sources carefully and verify package authenticity before installation.