malware npm

turbo-axios

discovered 2026-06-01

Wave 1 of the Epsilon Axios Typosquat Campaign. Precursor axios typosquat published 2026-05-23, taken down by npm security hold 2026-05-28 (5 days). Same operator as faster-axios: shared infrastructure (consequences-faces-weblogs-clinical.trycloudflare.com used as stage-2 C2 for turbo-axios v1.17.2 and as DOWNLOAD_URL in faster-axios Epsilon Stealer source), identical version numbering (1.17.x), same postinstall hook (node ./lib/core/eval.js), same sendAnalytics() function name, same /download/datab1 URL path pattern. v1.17.2 used consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1 as stage-2 endpoint. v1.17.3 rotated to philosophy-moms-incoming-milton.trycloudflare.com/download/datab1. OSV: MAL-2026-4695.

more…

Threat types

typosquat credential_stealer c2_agent

Malicious versions

1.17.2
1.17.3

Campaigns

Epsilon Axios Typosquat Campaignattributed-to

Indicators

domain consequences-faces-weblogs-clinical.trycloudflare.comcommunicates-with
url https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1communicates-with
domain philosophy-moms-incoming-milton.trycloudflare.comcommunicates-with
url https://philosophy-moms-incoming-milton.trycloudflare.com/download/datab1communicates-with

Techniques

ttp T1195.002 Compromise Software Supply Chainuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1102 Web Serviceuses
ttp T1105 Ingress Tool Transferuses