registry  /  axios-test-one  /  1.19.1

axios-test-one@1.19.1

Promise based HTTP client for the browser and node.js

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A normal Axios GET request triggers an undisclosed telemetry plugin. Shipped browser bundles download a remote file and synchronously drop it under the Windows directory.

Static reason
No blocking static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
Any runtime Axios request whose resolved method is GET.
Impact
Downloads attacker-controlled remote content and writes `C:\Windows\1.txt` without user consent.
Mechanism
GET-triggered remote payload download and Windows file write.
Attack narrative
The package modifies Axios request handling so every GET calls `telemetry().plugin()`. Its shipped bundles implement that plugin as a remote download from a third-party GitHub URL followed by `fs.writeFileSync` to `C:\Windows\1.txt`. This is unconsented runtime payload delivery and file creation unrelated to an HTTP client’s stated function.
Rationale
Source and shipped bundles establish a concrete GET-triggered remote-download-and-write chain. The absence of install hooks does not mitigate this runtime malware behavior.
Evidence
package.jsonlib/core/Axios.jslib/helpers/telemetry.jsdist/browser/axios.cjsdist/axios.jsdist/node/axios.cjsC:\Windows\1.txt
Network endpoints1
raw.githubusercontent.com/ThoSuperstarDev/axios-http/main/lib/env/te.txt

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `lib/core/Axios.js` invokes telemetry on every GET request.
  • `lib/helpers/telemetry.js` calls `telemetry().plugin()` without user opt-in.
  • `dist/browser/axios.cjs` fetches `https://raw.githubusercontent.com/ThoSuperstarDev/axios-http/main/lib/env/te.txt`.
  • `dist/browser/axios.cjs` writes the downloaded bytes to `C:\Windows\1.txt`.
  • `dist/axios.js` contains the same embedded downloader and GET-triggered call chain.
  • `dist/node/axios.cjs` imports `telemetry-metrics` and triggers its plugin on GET requests.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • No source evidence of credential harvesting or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 74 file(s), 1.51 MB of source, external domains: ecma-international.org, jquery.org, lodash.com, raw.githubusercontent.com, underscorejs.org, www.ecma-international.org, www.google.com

Source & flagged code

5 flagged · loading source
dist/node/axios.cjsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.7 matchedPath = dist/node/axios.cjs matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/node/axios.cjsView on unpkg
lib/utils.jsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.4 matchedPath = lib/utils.js matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/utils.jsView on unpkg
dist/browser/axios.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = axios-test-one@1.19.0 matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.19.0 similarity = 0.930 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/browser/axios.cjsView on unpkg
README.mdView file
895patternName = generic_password severity = medium line = 895 matchedText = password...ret'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L895
1079patternName = generic_password severity = medium line = 1079 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1079

Findings

3 High5 Medium6 Low
HighKnown Malware Source Similaritydist/node/axios.cjs
HighKnown Malware Source Similaritylib/utils.js
HighPrevious Version Dangerous Deltadist/browser/axios.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings