Likely typosquat: `ngy-cookie` (looks like `ngx-cookie`)

In the dependencies block:

"ngy-cookie": "^6.0.0",

The standard Angular cookie libraries are ngx-cookie (salemdar) and ngx-cookie-service. ngy-cookie is edit-distance 1 from ngx-cookie (x → y), the ^6.0.0 major matches the popular ngx-cookie line, and there is no obvious legitimate publisher for this name. This is exactly the pattern attackers use to slip malicious post-install scripts into a build (the ng prefix and Angular-version-aligned semver makes it visually plausible alongside the surrounding @angular/* and ngx-* packages).

Because Angular runs this code in the browser bundle, a malicious typosquat here can exfiltrate user input, cookies, JWTs, or wallet data (the manifest also includes ethers, @wagmi/core, jwt-decode).

1. Diff ngy-cookie against ngx-cookie on the npm registry — confirm the name is not the well-known package.
2. npm view ngy-cookie to inspect maintainer history, weekly downloads, and repository field.
3. If the maintainer / repo / downloads do not match the team's intent, replace with ngx-cookie-service or ngx-cookie and audit any code that imported from ngy-cookie.

Any developer running npm install pulls and executes the typosquat's install scripts and ships its code in the production Angular bundle. Blast radius: every browser user of the app, plus any CI machine that runs the install. No authentication required — install-time and runtime code execution.

Line 58 declares "ngy-cookie": "^6.0.0", a name one character off from the well-known ngx-cookie Angular library, embedded next to legitimate ngx-*/@angular/* entries — a classic typosquat pattern. Juice Shop historically uses ngx-cookie/cookieconsent for cookie handling, and an attacker-controlled package here would run install scripts on dev/CI and execute in the browser bundle alongside ethers, @wagmi/core, and jwt-decode, enabling cookie/JWT/wallet exfiltration. Scope explicitly says to treat findings as production-relevant. Confidence is moderate because I cannot directly query the npm registry to fully rule out a legitimate obscure publisher.

The "ngy-cookie": "^6.0.0" entry in frontend/package.json is fetched over the network from the npm registry by any developer or CI runner executing npm install, so the attack vector is Network and no privileges are required — the attacker just publishes/maintains the typosquat package. Execution is automatic at install time (postinstall scripts) and at runtime in the production Angular bundle, so no victim interaction beyond normal build/use is required. Scope is Changed because a malicious package compromises both the CI/build host (a different security authority than the Angular app) and every browser visitor of the shipped bundle, with adjacent sensitive libraries present (ethers, @wagmi/core, jwt-decode, cookieconsent) enabling theft of cookies/JWTs/wallet keys (C:H), arbitrary code injection into the app and build pipeline (I:H), and the ability to brick the build or the deployed frontend (A:H).