Description:

On April 20, a seemingly routine dependency update PR introduced what appears to be a compromised package.

Updating mailparser from version 2.2.0 to 2.2.3 pulled in a transitive dependency called http-fetch-cookies, which has a sub-dependency called express-cookies, which depends on a package called getcookies. The getcookies package apparently has a backdoor (reported here) that looks like it uses the vm module to run arbitrary code provided from a request inside of the application's context.

It appears that npm has since removed http-fetch-cookies, express-cookies, get-cookies and mailparser 2.2.3. According to google cache, mailparser 2.2.3 was published 17 days ago with the added dependency. It's worth noting that mailparser became deprecated last month due to lack of funding, and this compromise seems to have happened since then. As mailparser has 67,000 weekly downloads, this is quite concerning.