registry  /  nodeaxois  /  1.0.0

nodeaxois@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10589 confirms this npm version as malicious. The package declares scripts.postinstall: node.init.js, which runs automatically on npm install. The.init.js script collects host metadata (os.hostname(), os.platform(), process.cwd(), process.pid, timestamp), enumerates approximately 60 credential-shaped environment variables (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, CLOUDFLARE_*, GCP, etc.), reads ~/.npmrc, ~/.env*, ~/config.json,...

Advisory
MAL-2026-10589
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nodeaxois (npm)
Details
The package declares scripts.postinstall: node.init.js, which runs automatically on npm install. The.init.js script collects host metadata (os.hostname(), os.platform(), process.cwd(), process.pid, timestamp), enumerates approximately 60 credential-shaped environment variables (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, CLOUDFLARE_*, GCP, etc.), reads ~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json, and files under ~/.config/ whose names contain token/cred/secret, and POSTs the aggregated JSON to a hardcoded https://webhook.cool/at/tender-deer-80/ endpoint. The package's index.js exports an empty object; the tarball provides no legitimate functionality. The name is a likely typosquat of axios.
Decision reason
OpenSSF Malicious Packages via OSV confirms nodeaxois@1.0.0 as malicious (MAL-2026-10589): Malicious code in nodeaxois (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory