MAL-2026-4422

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (65cc6ad7f5d72e7e50a4493915cc5b8ce23b39b6f25ca5515228be44695016ca) Package `@qwedqwed/axios` is published under a scope that does not belong to the real axios maintainers but copies axios's README, source, homepage (`axios-http.com`), repository (`github.com/axios/axios`), and author metadata (`Matt Zabriskie`) verbatim to present itself as the genuine axios library. Its `package.json` declares two runtime dependencies that the real axios does not use: `@caspianph/storyteller@^1.1.12` and `math@^0.0.3`. The `math` name is a long-abandoned npm utility frequently abused as a dependency-confusion / typosquat target, and `@caspianph/storyteller` is an unknown package under an unrelated scope. Installing or requiring `@qwedqwed/axios` resolves and loads both of those packages into the installer's dependency graph. The axios source bytes shipped in this tarball are themselves benign (the `ping` strings flagged are inside axios's normal HTTP adapter / utility code, not an exfil path), but the package functions as a lure: the harmful surface is the silently-pulled transitive code, not this tarball's own JavaScript.