npm · Malicious package advisory
Malwareaxois-utils
MAL-2026-4494
Malicious code in axois-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (48eb1a16cb7cac016f30a49f81d472b9b4e02236b97c5daaea4446b74e6aa069) The package name is a single-character transposition of `axios`. `package.json` declares `preinstall`, `install`, and `postinstall` hooks all pointing at `postinstall.js`, guaranteeing execution on `npm install`. `postinstall.js` reads `~/.ssh/id_*`, `~/.aws/credentials`, `~/.aws/config`, `~/.config/gcloud/application_default_credentials.json`, `~/.azure/accessTokens.json`, `~/.npmrc`, shell histories, browser profile data, crypto wallet files, the entire `process.env`, and recursively walks `~/projects`, `~/dev`, `~/code`, `~/workspace`, and the current working directory for `.env` files. Collected data is POSTed via plain HTTP to `http://80.200.28.28:2222/collect` (hardcoded as `C2_HOST` at line 11). Author comments in the source explicitly label installers as 'victims' (`// Change this to your PUBLIC IP when deploying to victims`) and construct a `VICTIM_ID`, leaving no benign interpretation. The exposed `fetchData` API in `index.js` is a stub that only `console.log`s — the package has no legitimate function.
Compromised versions (6)
- 1.0.9
- 1.0.8
- 1.0.5
- 1.0.6
- 1.0.7
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.