MAL-2026-5529

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/v018-axios-cdntest/MAL-2026-5529.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5529

Published

2026-06-10T18:34:55Z

Modified

2026-06-11T02:31:31.641516330Z

Summary

Malicious code in v018-axios-cdntest (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (67d30d2c9939173663f8ba1312b2591d2f86c67657bd5eeff59b19187f50b901)

Package impersonates axios v0.18.0 (index.js carries the genuine axios v0.18.0 | (c) 2018 by Matt Zabriskie header and sets window.axios={}, window.__cdn_package='axios@0.18.0') but ships two malicious payloads. (1) index.js appends an IIFE that reads document.cookie and sends it via XMLHttpRequest GET to a hardcoded webhook.site endpoint (https://webhook.site/ef6e7978-f936-4664-b3ff-296a250e1735?c=<cookies>), firing on the page load event so any consumer loading this script via CDN or bundle leaks all accessible cookies to the attacker. (2) Sibling xmr-min.js is an in-browser Monero cryptojacker that constructs a Web Worker from a Blob and uses eval on dynamic JS to mine to wallet 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A via pool.supportxmr.com:4444. The package is intended to be loaded through jsdelivr (cdn.jsdelivr.net/npm/v018-axios-cdntest@.../xmr-min.js), so any site embedding it leaks user cookies and burns visitors' CPU. The package's own description self-labels these payloads.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a591698b95bbe1180b694b6aac6d31e658b4fd1e0ba9941f7a9714e223a0ab79",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:34:55Z",
            "id": "IN-MAL-2026-005288",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-06-10T19:23:48.30857207Z"
        },
        {
            "sha256": "67d30d2c9939173663f8ba1312b2591d2f86c67657bd5eeff59b19187f50b901",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:01:28Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-005346",
            "import_time": "2026-06-11T01:21:50.796454623Z"
        },
        {
            "sha256": "c1d75c09e9ea65962971d748fe0dd6a3ba162626453ba13b017dddee2bd73efa",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:41:10Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-005354",
            "import_time": "2026-06-11T02:24:27.341236257Z"
        },
        {
            "sha256": "9dc3747912c6afcf740e0b3600533ffde67565b8d6dbfcd192750f45d3625e13",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:40:17Z",
            "id": "IN-MAL-2026-005353",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-06-11T02:24:27.228796717Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / v018-axios-cdntest

Package

Name: v018-axios-cdntest; View open source insights on deps.dev
Purl: pkg:npm/v018-axios-cdntest

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/v018-axios-cdntest/MAL-2026-5529.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "68ca1c801b60f550147c9c8ba54a952c223077c93cd845ef1815ec25f7fa7553",
            "tlsh": "7c52b7ce78a1b0d647f720f0805f5e0fb2b6593a644d84a0e560e8f66db546e8727f8c",
            "path": "index.js"
        },
        {
            "sha256": "d4e79df98be10a6f358cfd304fe9f0bb4b55226bc79bd132a2032e6138f663c3",
            "tlsh": "45f143ccae6514a06c7762356f3f6309ed363003094ad311bebee2001fb9b950299eec",
            "path": "xmr-min.js"
        },
        {
            "sha256": "d209269d4f5f0153d78c42f541e56a697773ad4c34c5b87bd7ab9b1131ff7eea",
            "tlsh": "32d0a9320662a91a12f89e21697a481136621f2f30a08d0bba7a100d8ae26b228ca310",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-wM8m53GDcyQvThZcFVcqBLGUyFCPutrN7qDdhdXX7yKUo5sMYIj+oAwjz1ww1aslQTltAYq1kxfwWAj9xdkokg==",
                "sha1": "5c5a9eac79c60c65ba0249a8825a89aa59521b7b"
            },
            "filename": "v018-axios-cdntest-1.0.2.tgz"
        }
    ]
}