npm · Malicious package advisory
Malware@deadcode09284814/axios-util
MAL-2026-4379
Malicious code in @deadcode09284814/axios-util (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a) On `npm install`, postinstall.js reads installer-owned secrets — SSH private keys (id_rsa, id_ed25519, id_dsa, config, authorized_keys, known_hosts), ~/.aws/credentials and config, ~/.npmrc (with npm_ token regex), ~/.gitconfig, ~/.git-credentials, GCP application_default_credentials.json, Azure accessTokens.json,.env files in cwd and home, shell history — plus the full process.env, hostname, username, cwd, and network interfaces. The collected blob is POSTed as JSON to a hardcoded bare IP C2 at http://80.200.28.28:2222/collect over plain HTTP. The package advertises itself as an 'axios util' but contains no axios-related functionality; the postinstall is its sole purpose. The script fires automatically on `npm install` without user consent.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.