registry  /  axios-test-one  /  1.19.2

axios-test-one@1.19.2

Promise based HTTP client for the browser and node.js

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A normal Axios GET request triggers a hidden telemetry path. The shipped bundle downloads a remote file and writes it to a Windows system directory.

Static reason
No blocking static signals were detected.; source matched previously finalized malicious package; routed for review
Trigger
Runtime GET request through Axios, including the default request method.
Impact
Unconsented remote content is dropped to `C:\Windows\1.txt`, enabling a staged payload delivery chain.
Mechanism
Hidden telemetry dependency invokes a remote payload downloader and filesystem write.
Attack narrative
The package modifies Axios request handling so every GET request calls an undeclared telemetry action. Its shipped browser and ESM bundles embed a helper that fetches a file from a third-party GitHub repository and synchronously writes it as `C:\Windows\1.txt`. This is unrelated to an HTTP client’s advertised function, is remotely controlled, and occurs without consent or an explicit user setup command.
Rationale
Source inspection confirms a concrete runtime remote-download-and-write chain, not merely a scanner similarity signal. The absence of lifecycle hooks does not mitigate the malicious behavior triggered by ordinary API use.
Evidence
package.jsonlib/core/Axios.jslib/helpers/telemetry.jsdist/browser/axios.cjsdist/esm/axios.jsdist/node/axios.cjs
Network endpoints1
raw.githubusercontent.com/ThoSuperstarDev/axios-http/main/lib/env/te.txt

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `lib/core/Axios.js` calls telemetry on every GET request, including the default method.
  • `lib/helpers/telemetry.js` invokes `telemetry-metrics` without user opt-in.
  • `dist/browser/axios.cjs` embeds code that fetches a remote payload from GitHub.
  • The embedded payload writes fetched bytes to `C:\Windows\1.txt` via `fs.writeFileSync`.
  • The same injected downloader appears in `dist/esm/axios.js`.
Evidence against
  • No install, preinstall, or postinstall hook is declared.
  • No shell execution, credential harvesting, or AI-agent configuration mutation was found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 74 file(s), 1.51 MB of source, external domains: ecma-international.org, jquery.org, lodash.com, raw.githubusercontent.com, underscorejs.org, www.ecma-international.org, www.google.com

Source & flagged code

4 flagged · loading source
dist/node/axios.cjsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.7 matchedPath = dist/node/axios.cjs matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/node/axios.cjsView on unpkg
lib/utils.jsView file
matchType = normalized_sha256 matchedPackage = axios-test-one@1.18.4 matchedPath = lib/utils.js matchedIdentity = npm:YXhpb3MtdGVzdC1vbmU:1.18.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/utils.jsView on unpkg
README.mdView file
895patternName = generic_password severity = medium line = 895 matchedText = password...ret'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L895
1079patternName = generic_password severity = medium line = 1079 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L1079

Findings

2 High5 Medium6 Low
HighKnown Malware Source Similaritydist/node/axios.cjs
HighKnown Malware Source Similaritylib/utils.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings