@qwedqwed/axios @1.16.12

Summary

Package @qwedqwed/axios is published under a scope that does not belong to the real axios maintainers but copies axios's README, source, homepage ( axios-http.com ), repository ( github.com/axios/axios ), and author metadata ( Matt Zabriskie ) verbatim to present itself as the genuine axios library. Its package.json declares two runtime dependencies that the real axios does not use: @caspianph/storyteller@^1.1.12 and math@^0.0.3 . The math name is a long-abandoned npm utility frequently abused as a dependency-confusion / typosquat target, and @caspianph/storyteller is an unknown package under an unrelated scope. Installing or requiring @qwedqwed/axios resolves and loads both of those packages into the installer's dependency graph. The axios source bytes shipped in this tarball are themselves benign (the ping strings flagged are inside axios's normal HTTP adapter / utility code, not an exfil path), but the package functions as a lure: the harmful surface is the silently-pulled transitive code, not this tarball's own JavaScript.

Source: amazon-inspector (65cc6ad7f5d72e7e50a4493915cc5b8ce23b39b6f25ca5515228be44695016ca)