MAL-2026-4494
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/axois-utils/MAL-2026-4494.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4494
- Published
- 2026-05-20T01:33:43Z
- Modified
- 2026-05-26T06:02:10.956204397Z
- Summary
- Malicious code in axois-utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (48eb1a16cb7cac016f30a49f81d472b9b4e02236b97c5daaea4446b74e6aa069)
The package name is a single-character transposition of
axios.package.jsondeclarespreinstall,install, andpostinstallhooks all pointing atpostinstall.js, guaranteeing execution onnpm install.postinstall.jsreads~/.ssh/id_*,~/.aws/credentials,~/.aws/config,~/.config/gcloud/application_default_credentials.json,~/.azure/accessTokens.json,~/.npmrc, shell histories, browser profile data, crypto wallet files, the entireprocess.env, and recursively walks~/projects,~/dev,~/code,~/workspace, and the current working directory for.envfiles. Collected data is POSTed via plain HTTP tohttp://80.200.28.28:2222/collect(hardcoded asC2_HOSTat line 11). Author comments in the source explicitly label installers as 'victims' (// Change this to your PUBLIC IP when deploying to victims) and construct aVICTIM_ID, leaving no benign interpretation. The exposedfetchDataAPI inindex.jsis a stub that onlyconsole.logs — the package has no legitimate function. - Database specific
{ "malicious-packages-origins": [ { "sha256": "2c958ad366d3cf211d3687734b5515662d21eb63135675984966149e7205f5ee", "source": "amazon-inspector", "modified_time": "2026-05-20T01:33:43Z", "versions": [ "1.0.9" ], "id": "IN-MAL-2026-003365", "import_time": "2026-05-26T05:50:30.038124505Z" }, { "sha256": "348b9dab1b41fbf96d8b2eb2d57a630c5173a7a59b446495ae44f2c8c270fc54", "source": "amazon-inspector", "modified_time": "2026-05-20T01:33:43Z", "versions": [ "1.0.9" ], "id": "IN-MAL-2026-003366", "import_time": "2026-05-26T05:50:30.129341041Z" }, { "sha256": "3bde7de4bfb2aa11618fdd40c2fa9148ea6528d5e0e198bf2a7148d013021d6b", "source": "amazon-inspector", "modified_time": "2026-05-20T01:48:45Z", "id": "IN-MAL-2026-003383", "versions": [ "1.0.8" ], "import_time": "2026-05-26T05:50:32.292390413Z" }, { "sha256": "48eb1a16cb7cac016f30a49f81d472b9b4e02236b97c5daaea4446b74e6aa069", "source": "amazon-inspector", "modified_time": "2026-05-20T01:56:23Z", "versions": [ "1.0.5" ], "id": "IN-MAL-2026-003384", "import_time": "2026-05-26T05:50:32.381114054Z" }, { "sha256": "6c7f0094b893662a5bccb61ccbb5acdc9cef0e7d29361133c47456ace1d46836", "source": "amazon-inspector", "modified_time": "2026-05-20T01:42:02Z", "versions": [ "1.0.6" ], "id": "IN-MAL-2026-003373", "import_time": "2026-05-26T05:50:30.947293738Z" }, { "sha256": "96352f83bd4eb19f3b558b436dbcb497759f2f44c09ba6e9f0c283a2bdf4b61a", "source": "amazon-inspector", "modified_time": "2026-05-20T01:40:54Z", "versions": [ "1.0.7" ], "id": "IN-MAL-2026-003370", "import_time": "2026-05-26T05:50:30.567604347Z" }, { "sha256": "a0138ed11110dbbde8b54451da2c6a188d1ce1b885f57b4502b0e3d15af797cc", "source": "amazon-inspector", "modified_time": "2026-05-20T01:48:45Z", "versions": [ "1.0.8" ], "id": "IN-MAL-2026-003382", "import_time": "2026-05-26T05:50:32.196030532Z" }, { "sha256": "ebd0e0c4d55ecc3d8d7d292bfbf40484d853466a4b12cbd7a4da5171cac12e74", "source": "amazon-inspector", "modified_time": "2026-05-20T01:40:53Z", "versions": [ "1.0.7" ], "id": "IN-MAL-2026-003369", "import_time": "2026-05-26T05:50:30.473042333Z" }, { "sha256": "ef6753fc762c223001f634d4abd6f0fd9e578ec3b042931a2b4ea0cdaab1ef26", "source": "amazon-inspector", "modified_time": "2026-05-20T01:44:45Z", "versions": [ "1.0.4" ], "id": "IN-MAL-2026-003379", "import_time": "2026-05-26T05:50:31.871438811Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / axois-utils
Package
- Name
- axois-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/axois-utils
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/axois-utils/MAL-2026-4494.json"
indicators
{
"evidence_files": [
{
"sha256": "308b15c023088a7188dea4ef609010ac2493eb4c365b103053d7621a9ca5b935",
"tlsh": "6b3293e066f79160127395aa832ba5061177f0033902edb8ff9dd3451f8a52c87f26ed",
"path": "distrube.js"
}
],
"domains": [
"api.ipify.org",
"b94b6bcfa27554.lhr.life"
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-EX4QmTBU8U1aSejnWVtJiF+EisFnm+0NH5YqaJLddrK91ttXJ01lTiYi+ihetV6wxeI9HFLnuCEQ8KThl+DiQg==",
"sha1": "1e3108220b931a6a8005b6f19cd729856847fc64"
},
"filename": "axois-utils-1.0.9.tgz"
}
]
}