MAL-2026-4493

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/axiosqqq/MAL-2026-4493.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4493

Published

2026-05-20T04:16:47Z

Modified

2026-05-26T06:02:10.902629539Z

Summary

Malicious code in axiosqqq (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9cf5bc7a896b21f9af923c60b9283758bf46d4fb279f752a42bae43bb6006aa)

Package name axiosqqq is a 3-character-suffix typosquat of axios and ships axios's verbatim source, README, and CHANGELOG to impersonate the legitimate package. The only material divergence from upstream axios is an added runtime dependency in package.json: "@caspianph/storyteller": "^1.0.0". No file in the tarball imports or references this dependency, so it serves no functional purpose in the package; its only effect is that npm install axiosqqq resolves and installs @caspianph/storyteller, whose lifecycle hooks and main module will execute in the installer's environment. This is the namespace-abuse / smuggled-transitive-dependency pattern: the lure package mimics a top-tier registry name to get installed, and the actual payload is the unrelated scoped package pulled in transitively. The static C2/POST/ping pattern matches fire on the bundled axios.cjs and reflect axios's normal HTTP-client surface (POST, fetch, ping helpers) rather than added exfiltration code — the typosquat's harm is structural, via the injected dependency, not via modifications to the axios bundle itself.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T04:16:47Z",
            "versions": [
                "1.16.2"
            ],
            "sha256": "a9cf5bc7a896b21f9af923c60b9283758bf46d4fb279f752a42bae43bb6006aa",
            "id": "IN-MAL-2026-003459",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:40.973991855Z"
        }
    ]
}

References

https://www.npmjs.com/package/axiosqqq/v/1.16.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / axiosqqq

Package

Name: axiosqqq; View open source insights on deps.dev
Purl: pkg:npm/axiosqqq

Affected ranges

Affected versions

1.*

1.16.2

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "8f15d9ae65c6ea4dd4fec2b96c68d01cc60fa25c5d0d895f6253caa2002aa476",
            "tlsh": "07d1ed62c89a4d572fe43aa8a85a9155b235c04fcc41f91d73ae424c4f4c72f32fb66e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-an9BYensuEdOipJmFz/W9w2FhS4/ANZMs41uj+kRxzITC666Rdso+kVygGVCeYS3CgEeoFl3JqHODyTqDNl0xw==",
                "sha1": "5e110fd6fa3afa14bf2671d756baa9f2972d3e27"
            },
            "filename": "axiosqqq-1.16.2.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/axiosqqq/MAL-2026-4493.json"