VYPR

npm · Malicious package advisory

Malware

axiosqqq

MAL-2026-4493

Malicious code in axiosqqq (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a9cf5bc7a896b21f9af923c60b9283758bf46d4fb279f752a42bae43bb6006aa)
Package name `axiosqqq` is a 3-character-suffix typosquat of `axios` and ships axios's verbatim source, README, and CHANGELOG to impersonate the legitimate package. The only material divergence from upstream axios is an added runtime dependency in package.json: `"@caspianph/storyteller": "^1.0.0"`. No file in the tarball imports or references this dependency, so it serves no functional purpose in the package; its only effect is that `npm install axiosqqq` resolves and installs `@caspianph/storyteller`, whose lifecycle hooks and main module will execute in the installer's environment. This is the namespace-abuse / smuggled-transitive-dependency pattern: the lure package mimics a top-tier registry name to get installed, and the actual payload is the unrelated scoped package pulled in transitively. The static C2/POST/ping pattern matches fire on the bundled axios.cjs and reflect axios's normal HTTP-client surface (POST, fetch, ping helpers) rather than added exfiltration code — the typosquat's harm is structural, via the injected dependency, not via modifications to the axios bundle itself.

Compromised versions (4)

  • 1.16.2
  • 1.16.3
  • 1.16.9
  • 1.16.13

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.