Malicious Package Affecting cookie-parser-legacy package, versions *
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-COOKIEPARSERLEGACY-17228291
- published8 Jun 2026
- disclosed5 Jun 2026
- creditSeth Tenenbaum
Introduced: 5 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the cookie-parser-legacy package.
Overview
cookie-parser-legacy is a malicious package.
This package contains malicious code that uses another malicious package moustick (Snyk Advisory) as a dependency to fetch a remote payload from attacker-controlled URL (https://www.jsonkeeper.com/b/MYUKZ). The payload is designed to extract RELAYER_PRIVATE_KEY and JWT_SECRET from the victim's .env file. While this package attempting to impersonate a valid pakage cookie-parser by using the real author name (TJ Holowaychuk) and points to the legitimate expressjs/cookie-parser GitHub repo, there is no connection between that organization and this package authorship. Its content was not removed from the official package manager yet.