registry  /  axios-test-one  /  1.18.8

axios-test-one@1.18.8

Promise based HTTP client for the browser and node.js

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Bundled GET handling contains an unsolicited localhost telemetry payload path. The current call signature prevents a confirmed successful request, so it is an inert staged payload rather than active exfiltration.

Static reason
No blocking static signals were detected.
Trigger
Import a bundled distribution entrypoint and invoke Axios with the default or explicit GET method.
Impact
Current code likely breaks GET requests before transmission; a corrected call could disclose local system metadata to a local listener.
Mechanism
Collects host metadata and attempts a POST to a fixed localhost collector.
Rationale
Distribution artifacts contain unsolicited host-data collection and a fixed reporting endpoint, but the only invocation is inert because of a parameter mismatch. Flag for warning rather than block.
Evidence
package.jsonindex.jslib/core/Axios.jslib/helpers/telemetry.jsdist/node/axios.cjsdist/browser/axios.cjsdist/esm/axios.js
Network endpoints1
127.0.0.1:5000/report

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/node/axios.cjs` adds system telemetry not present in source entry modules.
  • GET requests call `getJsonData()`, collecting hostname, OS, username, memory, Node version, and PID.
  • Bundled telemetry targets `http://127.0.0.1:5000/report` via `http.request`.
  • Equivalent telemetry code is embedded in Node, browser, and ESM distribution bundles.
Evidence against
  • The only call is `sendTelemetry(getJsonData())`, but the function reads its second parameter.
  • That argument mismatch makes `JSON.stringify(data)` undefined and `Buffer.byteLength(body)` fail before `http.request`.
  • `lib/core/Axios.js` has no telemetry reference; the standalone `lib/helpers/telemetry.js` is not imported.
  • No lifecycle install hook, filesystem mutation, shell execution, remote endpoint, or AI-agent control-surface write was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 1.01 MB of source, external domains: www.google.com

Source & flagged code

2 flagged · loading source
README.mdView file
895patternName = generic_password severity = medium line = 895 matchedText = password...ret'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L895
1079patternName = generic_password severity = medium line = 1079 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1079

Findings

5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings