Remote code injection vulnerability wild in public npm package, plausible-sounding 'express-cookies' and its dependency 'getcookies'. >10K downloads during April. Vulnerable code: https://npm.runkit.com/getcookies/test/harness.js?t=1525249320108 https://www.npmjs.com/package/express-cookies