Serial axios typosquat campaign by a single Epsilon Stealer MaaS operator. Wave 1: turbo-axios published 2026-05-23 (v1.17.2, v1.17.3), taken down by npm security hold 2026-05-28. Wave 2: operator created new npm account (speedsteraxios), published faster-axios 2026-06-01 (v1.17.3, v1.17.4) with rotated Cloudflare quick-tunnels but shared infrastructure (consequences-faces-weblogs-clinical.trycloudflare.com appears in both turbo-axios stage-2 C2 and faster-axios Epsilon Stealer DOWNLOAD_URL constant). Shared TTPs: identical version numbering (1.17.x), same postinstall hook (node ./lib/core/eval.js), same sendAnalytics() function name, same /download/datab1 URL path pattern, same attack shape (postinstall eval-downloader targeting axios users). Payload: Epsilon Stealer MaaS infostealer with browser credential theft, crypto wallet theft, Discord/Telegram/GitHub token theft, process injection, WebSocket RAT, and persistence.
Objective
Credential theft and financial gain via Epsilon Stealer MaaS deployed through npm axios typosquats
Packages
Indicators
- url https://cold5.gofile.io/download/web/c5d2304a-2ede-4fd8-904b-9a6cdd3f8a6c/analyst.jscommunicates-with
- url https://apparently-movers-mysql-heights.trycloudflare.com/download/datab1communicates-with
- url https://apparently-movers-mysql-heights.trycloudflare.com/download/epsiloncommunicates-with
- url https://apparently-movers-mysql-heights.trycloudflare.com/download/browsercommunicates-with
- domain apparently-movers-mysql-heights.trycloudflare.comcommunicates-with
- domain recorded-distinct-face-girlfriend.trycloudflare.comexfiltrates-to
- url https://recorded-distinct-face-girlfriend.trycloudflare.com/customerexfiltrates-to
- domain consequences-faces-weblogs-clinical.trycloudflare.comcommunicates-with
- url https://consequences-faces-weblogs-clinical.trycloudflare.com/download/loadcommunicates-with
- domain prep-integer-lit-preferences.trycloudflare.comcommunicates-with
- sha256 bc46e88b1fdf8c27e3404146306b4651f69728f7d8d939a219dfbcb5a23ef69adrops
- file_path %TEMP%\hello.exedrops
- sha256 f89694ba247a7a67e582572094c9f19d2e09882eff8917f78125d54b733bd24eindicates
- sha256 80c18e0d71a31a2e66d8796c6d7081fa3414c1801057131f1cd851c87c1a029eindicates
- email [email protected]indicates
- github_repo speedsteraxiosindicates
- url https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1communicates-with
- domain philosophy-moms-incoming-milton.trycloudflare.comcommunicates-with
- url https://philosophy-moms-incoming-milton.trycloudflare.com/download/datab1communicates-with
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1102 Web Serviceuses
- ttp T1027.001 Obfuscated Files or Information: Binary Paddinguses
- ttp T1070.006 Indicator Removal: Timestompuses
- ttp T1106 Native APIuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1055.003 Process Injection: Thread Execution Hijackinguses
- ttp T1219 Remote Access Softwareuses
- ttp T1497.001 Virtualization/Sandbox Evasion: System Checksuses
