MAL-2026-4379

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@deadcode09284814/axios-util/MAL-2026-4379.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4379

Published

2026-05-20T02:08:24Z

Modified

2026-05-26T06:01:46.492537998Z

Summary

Malicious code in @deadcode09284814/axios-util (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a)

On npm install, postinstall.js reads installer-owned secrets — SSH private keys (idrsa, ided25519, iddsa, config, authorizedkeys, knownhosts), ~/.aws/credentials and config, ~/.npmrc (with npm token regex), ~/.gitconfig, ~/.git-credentials, GCP applicationdefaultcredentials.json, Azure accessTokens.json,.env files in cwd and home, shell history — plus the full process.env, hostname, username, cwd, and network interfaces. The collected blob is POSTed as JSON to a hardcoded bare IP C2 at http://80.200.28.28:2222/collect over plain HTTP. The package advertises itself as an 'axios util' but contains no axios-related functionality; the postinstall is its sole purpose. The script fires automatically on npm install without user consent.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "661ad09ef9ba3d76753a496cbd9b5ab9a3bccf0dbbb06c07e55bb0c7d37b6aaf",
            "modified_time": "2026-05-20T02:08:24Z",
            "id": "IN-MAL-2026-003394",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-05-26T05:50:33.509903451Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a",
            "modified_time": "2026-05-20T02:09:43Z",
            "id": "IN-MAL-2026-003397",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-05-26T05:50:33.994365851Z",
            "source": "amazon-inspector"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @deadcode09284814/axios-util

Package

Name: @deadcode09284814/axios-util; View open source insights on deps.dev
Purl: pkg:npm/%40deadcode09284814%2Faxios-util

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@deadcode09284814/axios-util/MAL-2026-4379.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "f2e5954210f9caee056f23dea3dd4e2251e4c4c9",
                "sha512_sri": "sha512-LAtQkvxF+WNTGlvyHfgqdRvWyOKs3KgYrcEGEOmeHLTYxKDVDapWo6gmIwzLexICuCwuXz7l9ExxONGuqpSz7g=="
            },
            "filename": "axios-util-1.0.1.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "b7e416368a28ab9a338db69859555c30070ee75e09a2abdeb633a01297c40c75",
            "tlsh": "3b71cad15be716311a9364ede78320013622f2533441e4983fdd6fc99f572758aa3ab8"
        }
    ]
}