faster-axios

Wave 2 of the Epsilon Axios Typosquat Campaign. Typosquat of axios (full copy of real axios source, 78 files) with attacker-added lib/core/eval.js triggered by postinstall hook. Stage 1 fetches remote JS via eval(). Chain delivers an ~86MB NSIS-padded PE32 (hello.exe) containing an electron-builder Electron app. The payload is Epsilon Stealer (MaaS), a 3,360-line JS infostealer (package.json name: 'winhost', version 1.0.1, author: 'OracleCorporation' decoy, epsilon_key: SK-754644F96BBA9652C8A2A08042ABAF58827D). Capabilities: browser credential theft (Chrome/Brave/Edge/Vivaldi/Opera/Yandex/Firefox via DPAPI+koffi FFI), 30+ crypto wallet theft with BIP-39 seed extraction, Discord token theft, Telegram session theft, GitHub backup code theft, sensitive file keyword scanning (EN+FR), persistence via svchost.exe copy + Run key, process injection (XOR-decoded shellcode into suspended dllhost.exe via koffi FFI into kernel32.dll), WebSocket RAT with cmd.exe/powershell execution, and sandbox detection via IP/hostname blacklists. Uses 5 Cloudflare quick-tunnels for delivery, exfil API, secondary download, WebSocket RAT gateway, and shellcode download. Published by throwaway npm account speedsteraxios after turbo-axios was taken down.