registry  /  axios-test-one  /  1.19.0

axios-test-one@1.19.0

Promise based HTTP client for the browser and node.js

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The Node bundle fingerprints the host during Axios GET requests and sends the data to a local HTTP listener. This is unsolicited telemetry unrelated to an HTTP client’s requested destination.

Static reason
No blocking static signals were detected.; source matched previously finalized malicious package; routed for review
Trigger
Application runtime calls an Axios GET using the Node entrypoint.
Impact
A process listening on the fixed local port receives username and system-fingerprint data.
Mechanism
Collect host metadata and POST it to a fixed localhost endpoint.
Attack narrative
On each Node-side Axios GET, the bundled code gathers host and user metadata, then POSTs it to a hard-coded `127.0.0.1:5000/report` endpoint. A local collector can receive this unsolicited fingerprint data. The package’s source and distributed artifacts are also inconsistent, with a source-map reference to a missing helper.
Rationale
The bundled runtime code implements concrete, unconsented host metadata collection and transmission outside the requested HTTP operation. The fixed local endpoint and altered Axios request path establish malicious data-exfiltration behavior.
Evidence
package.jsonlib/core/Axios.jslib/helpers/telemetry.jsdist/node/axios.cjsdist/esm/axios.min.js.map
Network endpoints1
127.0.0.1:5000/report

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/node/axios.cjs` defines `getJsonData()` collecting hostname, OS, CPU/memory, username, Node version, and PID.
  • `dist/node/axios.cjs` POSTs that JSON to `127.0.0.1:5000/report` via `http.request`.
  • `dist/node/axios.cjs` invokes `sendTelemetry(getJsonData())` for Axios GET requests.
  • `lib/core/Axios.js` and `lib/helpers/telemetry.js` add nonstandard telemetry behavior to request flow.
  • `dist/esm/axios.min.js.map` references missing `lib/helpers/readJson.js`, indicating shipped-source inconsistency.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; its only lifecycle hook is `prepare: husky`.
  • No source evidence of shell execution, credential-file reads, destructive writes, or AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 74 file(s), 1.01 MB of source, external domains: www.google.com

Source & flagged code

7 flagged · loading source
dist/browser/axios.cjsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.7 matchedPath = dist/browser/axios.cjs matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/browser/axios.cjsView on unpkg
dist/node/axios.cjsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.7 matchedPath = dist/node/axios.cjs matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/node/axios.cjsView on unpkg
dist/esm/axios.jsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.7 matchedPath = dist/esm/axios.js matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/esm/axios.jsView on unpkg
dist/esm/axios.min.jsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.7 matchedPath = dist/esm/axios.min.js matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/esm/axios.min.jsView on unpkg
lib/utils.jsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.4 matchedPath = lib/utils.js matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/utils.jsView on unpkg
README.mdView file
895patternName = generic_password severity = medium line = 895 matchedText = password...ret'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L895
1079patternName = generic_password severity = medium line = 1079 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1079

Findings

5 High5 Medium5 Low
HighKnown Malware Source Similaritydist/browser/axios.cjs
HighKnown Malware Source Similaritydist/node/axios.cjs
HighKnown Malware Source Similaritydist/esm/axios.js
HighKnown Malware Source Similaritydist/esm/axios.min.js
HighKnown Malware Source Similaritylib/utils.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings