{"campaign":{"name":"Epsilon Axios Typosquat Campaign","slug":"epsilon-axios-typosquat-campaign","href":"/ti/campaigns/epsilon-axios-typosquat-campaign","description":"Serial axios typosquat campaign by a single Epsilon Stealer MaaS operator. Wave 1: turbo-axios published 2026-05-23 (v1.17.2, v1.17.3), taken down by npm security hold 2026-05-28. Wave 2: operator created new npm account (speedsteraxios), published faster-axios 2026-06-01 (v1.17.3, v1.17.4) with rotated Cloudflare quick-tunnels but shared infrastructure (consequences-faces-weblogs-clinical.trycloudflare.com appears in both turbo-axios stage-2 C2 and faster-axios Epsilon Stealer DOWNLOAD_URL constant). Shared TTPs: identical version numbering (1.17.x), same postinstall hook (node ./lib/core/eval.js), same sendAnalytics() function name, same /download/datab1 URL path pattern, same attack shape (postinstall eval-downloader targeting axios users). Payload: Epsilon Stealer MaaS infostealer with browser credential theft, crypto wallet theft, Discord/Telegram/GitHub token theft, process injection, WebSocket RAT, and persistence.","objective":"Credential theft and financial gain via Epsilon Stealer MaaS deployed through npm axios typosquats","aliases":[],"discovered_at":"2026-06-01"},"packages":[{"ecosystem":"npm","name":"faster-axios","href":"/ti/packages/npm/faster-axios","threat_types":["typosquat","credential_stealer","rat","c2_agent","data_exfiltration","persistence"],"versions":["1.17.3","1.17.4"]},{"ecosystem":"npm","name":"turbo-axios","href":"/ti/packages/npm/turbo-axios","threat_types":["typosquat","credential_stealer","c2_agent"],"versions":["1.17.2","1.17.3"]}],"indicators":[{"kind":"url","value":"https://cold5.gofile.io/download/web/c5d2304a-2ede-4fd8-904b-9a6cdd3f8a6c/analyst.js","href":"/ti/ioc/url/url-d1b4590859c1","context":"faster-axios v1.17.3 stage-2 delivery URL (gofile.io file hosting). Now returns landing page; likely token-gated or removed."},{"kind":"url","value":"https://apparently-movers-mysql-heights.trycloudflare.com/download/datab1","href":"/ti/ioc/url/url-be8a73e94fa8","context":"faster-axios v1.17.4 stage-2 delivery URL (Cloudflare quick-tunnel C2). LIVE, returned HTTP 200. Stage 3 = Windows-only dropper."},{"kind":"url","value":"https://apparently-movers-mysql-heights.trycloudflare.com/download/epsilon","href":"/ti/ioc/url/url-b3babde08035","context":"Stage 4 download URL. Dropper fetches hello.exe to %TEMP% and runs via child_process.execFile."},{"kind":"url","value":"https://apparently-movers-mysql-heights.trycloudflare.com/download/browser","href":"/ti/ioc/url/url-2cc6594188a1","context":"Shellcode download URL. Epsilon Stealer fetches XOR-encoded (key 0xAA) shellcode for process injection into dllhost.exe."},{"kind":"domain","value":"apparently-movers-mysql-heights.trycloudflare.com","href":"/ti/ioc/domain/apparently-movers-mysql-heights.trycloudflare.com","context":"Cloudflare quick-tunnel C2 host for faster-axios. Serves: stage-2 delivery (/download/datab1), stage-4 PE (/download/epsilon), and shellcode (/download/browser)."},{"kind":"domain","value":"recorded-distinct-face-girlfriend.trycloudflare.com","href":"/ti/ioc/domain/recorded-distinct-face-girlfriend.trycloudflare.com","context":"Epsilon Stealer exfil API tunnel. Endpoints: /customer (registration), /upload (file exfil), /discord-token (Discord token exfil), /clip (clipboard data)."},{"kind":"url","value":"https://recorded-distinct-face-girlfriend.trycloudflare.com/customer","href":"/ti/ioc/url/url-46d756474c87","context":"Epsilon Stealer exfil API base. Sub-endpoints: /upload, /discord-token, /clip."},{"kind":"domain","value":"consequences-faces-weblogs-clinical.trycloudflare.com","href":"/ti/ioc/domain/consequences-faces-weblogs-clinical.trycloudflare.com","context":"SHARED INFRASTRUCTURE linking turbo-axios and faster-axios (high confidence same operator). turbo-axios v1.17.2 used this tunnel as stage-2 C2 at /download/datab1. faster-axios Epsilon Stealer source references this tunnel as DOWNLOAD_URL constant (line 99) at /download/load. Campaign-level pivot indicator."},{"kind":"url","value":"https://consequences-faces-weblogs-clinical.trycloudflare.com/download/load","href":"/ti/ioc/url/url-37957119e0f9","context":"Secondary download URL used by Epsilon Stealer (faster-axios) for additional payload retrieval."},{"kind":"domain","value":"prep-integer-lit-preferences.trycloudflare.com","href":"/ti/ioc/domain/prep-integer-lit-preferences.trycloudflare.com","context":"WebSocket RAT gateway for Epsilon Stealer. Persistent WSS connection with auto-reconnect. Supports arbitrary cmd.exe/powershell execution with real-time stdout streaming."},{"kind":"sha256","value":"bc46e88b1fdf8c27e3404146306b4651f69728f7d8d939a219dfbcb5a23ef69a","href":"/ti/ioc/sha256/bc46e88b1fdf8c27e3404146306b4651f69728f7d8d939a219dfbcb5a23ef69a","context":"Stage 4 hello.exe. PE32 NSIS self-extracting installer, 86,235,515 bytes (~86MB). Contains electron-builder Electron app with Epsilon Stealer in resources/app.asar -> src/index.js (3,360 lines). NSIS header references www.inkscape.org (decoy)."},{"kind":"file_path","value":"%TEMP%\\hello.exe","href":"/ti/ioc/file_path/file_path-299e62eaf3d2","context":"Windows drop path for stage-4 NSIS PE, executed via child_process.execFile."},{"kind":"sha256","value":"f89694ba247a7a67e582572094c9f19d2e09882eff8917f78125d54b733bd24e","href":"/ti/ioc/sha256/f89694ba247a7a67e582572094c9f19d2e09882eff8917f78125d54b733bd24e","context":"faster-axios@1.17.3 npm tarball"},{"kind":"sha256","value":"80c18e0d71a31a2e66d8796c6d7081fa3414c1801057131f1cd851c87c1a029e","href":"/ti/ioc/sha256/80c18e0d71a31a2e66d8796c6d7081fa3414c1801057131f1cd851c87c1a029e","context":"faster-axios@1.17.4 npm tarball"},{"kind":"email","value":"epsteinfuckniggerss911@proton.me","href":"/ti/ioc/email/epsteinfuckniggerss911@proton.me","context":"npm maintainer email for account speedsteraxios (faster-axios publisher). Offensive/racist throwaway. Weak actor selector."},{"kind":"github_repo","value":"speedsteraxios","href":"/ti/ioc/github_repo/github_repo-d1b2ccd914ac","context":"npm publisher account handle for faster-axios (used as weak actor selector; not a confirmed GitHub repo)."},{"kind":"url","value":"https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1","href":"/ti/ioc/url/url-bfddb6cbe803","context":"turbo-axios v1.17.2 stage-2 C2 endpoint. Same tunnel reused in faster-axios Epsilon Stealer source. Key infrastructure pivot linking both packages to one operator."},{"kind":"domain","value":"philosophy-moms-incoming-milton.trycloudflare.com","href":"/ti/ioc/domain/philosophy-moms-incoming-milton.trycloudflare.com","context":"Cloudflare quick-tunnel C2 for turbo-axios v1.17.3 stage-2 delivery. Endpoint: /download/datab1. Rotated tunnel after consequences-faces-weblogs-clinical was used for v1.17.2."},{"kind":"url","value":"https://philosophy-moms-incoming-milton.trycloudflare.com/download/datab1","href":"/ti/ioc/url/url-94fe81bf151c","context":"turbo-axios v1.17.3 stage-2 delivery URL. Rotated Cloudflare quick-tunnel with same /download/datab1 path pattern as all other campaign tunnels."}],"ttps":[{"name":"Compromise Software Supply Chain","mitre_attack_id":"T1195.002","href":"/ti/ttps/T1195.002"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Web Service","mitre_attack_id":"T1102","href":"/ti/ttps/T1102"},{"name":"Obfuscated Files or Information: Binary Padding","mitre_attack_id":"T1027.001","href":"/ti/ttps/T1027.001"},{"name":"Indicator Removal: Timestomp","mitre_attack_id":"T1070.006","href":"/ti/ttps/T1070.006"},{"name":"Native API","mitre_attack_id":"T1106","href":"/ti/ttps/T1106"},{"name":"Credentials from Password Stores: Web Browsers","mitre_attack_id":"T1555.003","href":"/ti/ttps/T1555.003"},{"name":"Steal Web Session Cookie","mitre_attack_id":"T1539","href":"/ti/ttps/T1539"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Boot or Logon Autostart Execution: Registry Run Keys","mitre_attack_id":"T1547.001","href":"/ti/ttps/T1547.001"},{"name":"Process Injection: Thread Execution Hijacking","mitre_attack_id":"T1055.003","href":"/ti/ttps/T1055.003"},{"name":"Remote Access Software","mitre_attack_id":"T1219","href":"/ti/ttps/T1219"},{"name":"Virtualization/Sandbox Evasion: System Checks","mitre_attack_id":"T1497.001","href":"/ti/ttps/T1497.001"}],"related_campaigns":[],"reports":[{"title":"Epsilon Axios Typosquat Campaign: serial axios typosquats (turbo-axios, faster-axios) by one Epsilon Stealer operator delivering MaaS infostealer via NSIS-padded Electron dropper with process injection and WebSocket RAT","published_at":"2026-06-01"}]}