npm · Malicious package advisory
Malwareaxiosqqq
MAL-2026-4493
Malicious code in axiosqqq (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a9cf5bc7a896b21f9af923c60b9283758bf46d4fb279f752a42bae43bb6006aa) Package name `axiosqqq` is a 3-character-suffix typosquat of `axios` and ships axios's verbatim source, README, and CHANGELOG to impersonate the legitimate package. The only material divergence from upstream axios is an added runtime dependency in package.json: `"@caspianph/storyteller": "^1.0.0"`. No file in the tarball imports or references this dependency, so it serves no functional purpose in the package; its only effect is that `npm install axiosqqq` resolves and installs `@caspianph/storyteller`, whose lifecycle hooks and main module will execute in the installer's environment. This is the namespace-abuse / smuggled-transitive-dependency pattern: the lure package mimics a top-tier registry name to get installed, and the actual payload is the unrelated scoped package pulled in transitively. The static C2/POST/ping pattern matches fire on the bundled axios.cjs and reflect axios's normal HTTP-client surface (POST, fetch, ping helpers) rather than added exfiltration code — the typosquat's harm is structural, via the injected dependency, not via modifications to the axios bundle itself.
Compromised versions (4)
- 1.16.2
- 1.16.3
- 1.16.9
- 1.16.13
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.