AI Security Review
scanned 3h ago · by lpm-firewall-aiA normal Axios GET request triggers an undisclosed telemetry plugin. Shipped browser bundles download a remote file and synchronously drop it under the Windows directory.
Decision evidence
public snapshot- `lib/core/Axios.js` invokes telemetry on every GET request.
- `lib/helpers/telemetry.js` calls `telemetry().plugin()` without user opt-in.
- `dist/browser/axios.cjs` fetches `https://raw.githubusercontent.com/ThoSuperstarDev/axios-http/main/lib/env/te.txt`.
- `dist/browser/axios.cjs` writes the downloaded bytes to `C:\Windows\1.txt`.
- `dist/axios.js` contains the same embedded downloader and GET-triggered call chain.
- `dist/node/axios.cjs` imports `telemetry-metrics` and triggers its plugin on GET requests.
- `package.json` has no preinstall, install, or postinstall hook.
- No source evidence of credential harvesting or AI-agent control-surface writes.
Source & flagged code
5 flagged · loading sourceSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/node/axios.cjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
lib/utils.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/browser/axios.cjsView on unpkg