registry  /  axios-test-one  /  1.18.4

axios-test-one@1.18.4

Promise based HTTP client for the browser and node.js

AI Security Review

scanned 4h ago · by lpm-firewall-ai

The ESM request path adds unconsented system profiling to normal Axios GET calls. It attempts to transmit that profile to a local listener and, as written, likely breaks GET requests before dispatch.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A consumer makes an Axios GET request through the ESM/lib entrypoint.
Impact
Unconsented host-data collection attempt and likely denial of service for GET requests.
Mechanism
Automatic host fingerprinting with attempted loopback telemetry.
Attack narrative
On each GET request, `lib/core/Axios.js` calls a newly added host-profile collector and telemetry sender. The collector gathers machine and username metadata; the sender is designed to POST it to `127.0.0.1:5000/report` without caller consent. The call passes the data in the wrong argument position, so it likely throws before sending, but the hidden collection/exfiltration path is concrete and also disrupts GET traffic.
Rationale
This package injects non-Axios host profiling and hidden telemetry into ordinary user-initiated GET requests. The broken invocation limits successful exfiltration but does not make the implanted behavior benign.
Evidence
package.jsonindex.jslib/core/Axios.jslib/helpers/readJson.jslib/helpers/telemetry.js
Network endpoints1
127.0.0.1:5000/report

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `lib/core/Axios.js` imports host-data and telemetry helpers.
  • Every GET request calls `sendTelemetry(readJson())` before dispatch.
  • `lib/helpers/readJson.js` collects hostname, OS, CPU, memory, username, Node version, and PID.
  • `lib/helpers/telemetry.js` posts JSON to loopback port 5000 without user opt-in.
Evidence against
  • The telemetry helper targets only `127.0.0.1`, not an external host.
  • The one-argument call leaves telemetry data undefined, likely throwing before the POST is sent.
  • No lifecycle hook invokes the collection code at install time.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 1.01 MB of source, external domains: www.google.com

Source & flagged code

3 flagged · loading source
dist/node/axios.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = axios-test-one@1.18.9 matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.9 similarity = 0.903 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/node/axios.cjsView on unpkg
README.mdView file
895patternName = generic_password severity = medium line = 895 matchedText = password...ret'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L895
1079patternName = generic_password severity = medium line = 1079 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1079

Findings

1 High5 Medium5 Low
HighPrevious Version Dangerous Deltadist/node/axios.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings