VYPR

npm · Malicious package advisory

Malware

@deadcode09284814/axios-util

MAL-2026-4379

Malicious code in @deadcode09284814/axios-util (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a)
On `npm install`, postinstall.js reads installer-owned secrets — SSH private keys (id_rsa, id_ed25519, id_dsa, config, authorized_keys, known_hosts), ~/.aws/credentials and config, ~/.npmrc (with npm_ token regex), ~/.gitconfig, ~/.git-credentials, GCP application_default_credentials.json, Azure accessTokens.json,.env files in cwd and home, shell history — plus the full process.env, hostname, username, cwd, and network interfaces. The collected blob is POSTed as JSON to a hardcoded bare IP C2 at http://80.200.28.28:2222/collect over plain HTTP. The package advertises itself as an 'axios util' but contains no axios-related functionality; the postinstall is its sole purpose. The script fires automatically on `npm install` without user consent.

Compromised versions (2)

  • 1.0.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.