axios-test-one @1.19.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10727
Ecosystem
npm
Summary
axios-test-one@1.19.0 impersonates the real axios package (ships axios's README/CHANGELOG verbatim, bundles are stamped /*! Axios v1.18.9 Copyright (c) 2026 Jay and contributors */ , and declares axios's own repository/homepage URLs) while adding an undeclared runtime dependency on telemetry-metrics@^0.2.1 . lib/helpers/telemetry.js does import telemetry from "telemetry-metrics"; export function sendTelemetry(){ telemetry().plugin(); } , and lib/core/Axios.js invokes sendTelemetry() from _request whenever config.method === 'get' . Any code shipped by the third-party telemetry-metrics package therefore executes in the consumer's Node.js process on the first axios.get(...) call, giving that package arbitrary code execution in the installer's runtime under cover of the axios API surface.
Source: amazon-inspector (5f53cd512e7aa0549f6ff4ae3064dc13fd8d72c8dddc464f7639376abfadc4a6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.