Backdoor injected to NPM express-cookies package
Remote code injection vulnerability wild in public npm package, plausible-sounding 'express-cookies' and its dependency 'getcookies'. >10K downloads during April.
Vulnerable code: https://npm.runkit.com/getcookies/test/harness.js?t=1525249320108
https://www.npmjs.com/package/express-cookies
17 comments
[ 0.23 ms ] story [ 48.8 ms ] threadI don't know who to credit on this, and neither does npm but OP seems to be the source of these findings, although it would baffle me if they didn't report it to npm.