Malicious Package Affecting moustick package, versions *
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MOUSTICK-17228229
- published8 Jun 2026
- disclosed5 Jun 2026
- creditSeth Tenenbaum
Introduced: 5 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the moustick package.
Overview
moustick is a malicious package.
This package contains malicious code that fetches and eval() a remote payload from attacker-controlled URL (https://www.jsonkeeper.com/b/MYUKZ) on require() in moustick/index.js. The payload is designed to extract RELAYER_PRIVATE_KEY and JWT_SECRET from the victim's .env file. While this package attempting to impersonate a valid pakage cookie-signature by using the real author name (TJ Holowaychuk) and points to the legitimate visionmedia/node-cookie-signature GitHub repo, there is no connection between that organization and this package authorship. Its content was not removed from the official package manager yet.