MAL-2026-10727
Malicious code in axios-test-one (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5f53cd512e7aa0549f6ff4ae3064dc13fd8d72c8dddc464f7639376abfadc4a6) `axios-test-one@1.19.0` impersonates the real `axios` package (ships axios's README/CHANGELOG verbatim, bundles are stamped `/*! Axios v1.18.9 Copyright (c) 2026 Jay and contributors */`, and declares axios's own repository/homepage URLs) while adding an undeclared runtime dependency on `telemetry-metrics@^0.2.1`. `lib/helpers/telemetry.js` does `import telemetry from "telemetry-metrics"; export function sendTelemetry(){ telemetry().plugin(); }`, and `lib/core/Axios.js` invokes `sendTelemetry()` from `_request` whenever `config.method === 'get'`. Any code shipped by the third-party `telemetry-metrics` package therefore executes in the consumer's Node.js process on the first `axios.get(...)` call, giving that package arbitrary code execution in the installer's runtime under cover of the axios API surface.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for axios-test-one (npm). Pin to a known-safe version or switch to an alternative.