{"id":"MAL-2026-4379","summary":"Malicious code in @deadcode09284814/axios-util (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a)\nOn `npm install`, postinstall.js reads installer-owned secrets — SSH private keys (id_rsa, id_ed25519, id_dsa, config, authorized_keys, known_hosts), ~/.aws/credentials and config, ~/.npmrc (with npm_ token regex), ~/.gitconfig, ~/.git-credentials, GCP application_default_credentials.json, Azure accessTokens.json,.env files in cwd and home, shell history — plus the full process.env, hostname, username, cwd, and network interfaces. The collected blob is POSTed as JSON to a hardcoded bare IP C2 at http://80.200.28.28:2222/collect over plain HTTP. The package advertises itself as an 'axios util' but contains no axios-related functionality; the postinstall is its sole purpose. The script fires automatically on `npm install` without user consent.\n","modified":"2026-05-26T06:01:46.492537998Z","published":"2026-05-20T02:08:24Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-26T05:50:33.509903451Z","id":"IN-MAL-2026-003394","sha256":"661ad09ef9ba3d76753a496cbd9b5ab9a3bccf0dbbb06c07e55bb0c7d37b6aaf","modified_time":"2026-05-20T02:08:24Z","versions":["1.0.1"]},{"id":"IN-MAL-2026-003397","import_time":"2026-05-26T05:50:33.994365851Z","source":"amazon-inspector","sha256":"76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a","modified_time":"2026-05-20T02:09:43Z","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@deadcode09284814/axios-util/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@deadcode09284814/axios-util/v/1.0.0"}],"affected":[{"package":{"name":"@deadcode09284814/axios-util","ecosystem":"npm","purl":"pkg:npm/%40deadcode09284814%2Faxios-util"},"versions":["1.0.1","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@deadcode09284814/axios-util/MAL-2026-4379.json","indicators":{"evidence_files":[{"path":"postinstall.js","sha256":"b7e416368a28ab9a338db69859555c30070ee75e09a2abdeb633a01297c40c75","tlsh":"3b71cad15be716311a9364ede78320013622f2533441e4983fdd6fc99f572758aa3ab8"}],"package_integrity":[{"hashes":{"sha1":"f2e5954210f9caee056f23dea3dd4e2251e4c4c9","sha512_sri":"sha512-LAtQkvxF+WNTGlvyHfgqdRvWyOKs3KgYrcEGEOmeHLTYxKDVDapWo6gmIwzLexICuCwuXz7l9ExxONGuqpSz7g=="},"filename":"axios-util-1.0.1.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}