npm · Malicious package advisory
Malwarev018-axios-cdntest
MAL-2026-5529
Malicious code in v018-axios-cdntest (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (67d30d2c9939173663f8ba1312b2591d2f86c67657bd5eeff59b19187f50b901)
Package impersonates axios v0.18.0 (index.js carries the genuine `axios v0.18.0 | (c) 2018 by Matt Zabriskie` header and sets `window.axios={}`, `window.__cdn_package='axios@0.18.0'`) but ships two malicious payloads. (1) index.js appends an IIFE that reads `document.cookie` and sends it via XMLHttpRequest GET to a hardcoded webhook.site endpoint (`https://webhook.site/ef6e7978-f936-4664-b3ff-296a250e1735?c=<cookies>`), firing on the page `load` event so any consumer loading this script via CDN or bundle leaks all accessible cookies to the attacker. (2) Sibling xmr-min.js is an in-browser Monero cryptojacker that constructs a Web Worker from a Blob and uses `eval` on dynamic JS to mine to wallet `44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A` via `pool.supportxmr.com:4444`. The package is intended to be loaded through jsdelivr (`cdn.jsdelivr.net/npm/v018-axios-cdntest@.../xmr-min.js`), so any site embedding it leaks user cookies and burns visitors' CPU. The package's own description self-labels these payloads.
Compromised versions (4)
- 1.0.2
- 1.0.3
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.