registry  /  axios-test-one  /  1.18.5

axios-test-one@1.18.5

Promise based HTTP client for the browser and node.js

AI Security Review

scanned 5h ago · by lpm-firewall-ai

On a consumer GET request, injected code gathers host/user/process metadata and attempts to send it to a local loopback collector. The malformed call prevents a confirmed outbound payload transmission.

Static reason
No blocking static signals were detected.
Trigger
Calling Axios with a GET request at runtime.
Impact
Unexpected collection attempt and likely GET-request failure; no confirmed external exfiltration.
Mechanism
Automatic host-metadata collection with loopback telemetry POST attempt.
Rationale
The source contains an unsolicited metadata-collection and telemetry path triggered by ordinary GET requests, but static inspection shows its malformed invocation prevents confirmed exfiltration. Flag it for warning as an inert staged payload rather than block as concrete malware.
Evidence
package.jsonlib/core/Axios.jslib/helpers/readJson.jslib/helpers/telemetry.jsdist/node/axios.cjs
Network endpoints1
127.0.0.1:5000/report

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for warning
  • `lib/core/Axios.js` automatically calls telemetry for every GET request.
  • `lib/helpers/readJson.js` collects hostname, username, OS, CPU/memory, Node version, and PID.
  • `lib/helpers/telemetry.js` attempts a POST to `127.0.0.1:5000/report` without user opt-in.
  • The injected telemetry code is included in `dist/node/axios.cjs`.
Evidence against
  • No `preinstall`, `install`, or `postinstall` hook exists in `package.json`.
  • The telemetry call passes one argument to a two-argument function, so its serialized payload is undefined; no successful POST is confirmed.
  • The only fixed endpoint is loopback, not an external host.
  • No child-process execution, file harvesting, persistence, or AI-agent control-surface mutation was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 1.01 MB of source, external domains: www.google.com

Source & flagged code

2 flagged · loading source
README.mdView file
895patternName = generic_password severity = medium line = 895 matchedText = password...ret'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L895
1079patternName = generic_password severity = medium line = 1079 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1079

Findings

5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings