VYPR

npm · Malicious package advisory

Malware

axois-utils

MAL-2026-4494

Malicious code in axois-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (48eb1a16cb7cac016f30a49f81d472b9b4e02236b97c5daaea4446b74e6aa069)
The package name is a single-character transposition of `axios`. `package.json` declares `preinstall`, `install`, and `postinstall` hooks all pointing at `postinstall.js`, guaranteeing execution on `npm install`. `postinstall.js` reads `~/.ssh/id_*`, `~/.aws/credentials`, `~/.aws/config`, `~/.config/gcloud/application_default_credentials.json`, `~/.azure/accessTokens.json`, `~/.npmrc`, shell histories, browser profile data, crypto wallet files, the entire `process.env`, and recursively walks `~/projects`, `~/dev`, `~/code`, `~/workspace`, and the current working directory for `.env` files. Collected data is POSTed via plain HTTP to `http://80.200.28.28:2222/collect` (hardcoded as `C2_HOST` at line 11). Author comments in the source explicitly label installers as 'victims' (`// Change this to your PUBLIC IP when deploying to victims`) and construct a `VICTIM_ID`, leaving no benign interpretation. The exposed `fetchData` API in `index.js` is a stub that only `console.log`s — the package has no legitimate function.

Compromised versions (6)

  • 1.0.9
  • 1.0.8
  • 1.0.5
  • 1.0.6
  • 1.0.7
  • 1.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.