Backdoor injected to NPM express-cookies package

58 points by ekke ↗ HN
Remote code injection vulnerability wild in public npm package, plausible-sounding 'express-cookies' and its dependency 'getcookies'. >10K downloads during April.

Vulnerable code: https://npm.runkit.com/getcookies/test/harness.js?t=1525249320108

https://www.npmjs.com/package/express-cookies

17 comments

[ 0.23 ms ] story [ 48.8 ms ] thread
There is no reason to use "express-cookies" when "cookie-parser" exists.
Express just ejected a bunch of its functionality into “express-“ modules.
(comment deleted)
And NPM took it down quickly, whew.
did you report it to NPM?
I don't know how many reported it to npm, but when I initially saw the post on HN, I took the steps to report the packages.

I don't know who to credit on this, and neither does npm but OP seems to be the source of these findings, although it would baffle me if they didn't report it to npm.

Sure, and at least few more people :)
Can someone explain how the injection itself works? I assume it's the require doing the work, but its not so clear how that loads externally instead of from a path in filesystem?
I am curious to know whether you reported it to npm upon your findings. npm questioned me for who to credit on this matter, and they would like to know who the original finder was.
Am I the only one that's only reading the comments after seeing the first two words of the title?