npm

axios-test-one @1.19.0

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10727

Ecosystem

npm

Summary

axios-test-one@1.19.0 impersonates the real axios package (ships axios's README/CHANGELOG verbatim, bundles are stamped /*! Axios v1.18.9 Copyright (c) 2026 Jay and contributors */ , and declares axios's own repository/homepage URLs) while adding an undeclared runtime dependency on telemetry-metrics@^0.2.1 . lib/helpers/telemetry.js does import telemetry from "telemetry-metrics"; export function sendTelemetry(){ telemetry().plugin(); } , and lib/core/Axios.js invokes sendTelemetry() from _request whenever config.method === 'get' . Any code shipped by the third-party telemetry-metrics package therefore executes in the consumer's Node.js process on the first axios.get(...) call, giving that package arbitrary code execution in the installer's runtime under cover of the axios API surface.

Source: amazon-inspector (5f53cd512e7aa0549f6ff4ae3064dc13fd8d72c8dddc464f7639376abfadc4a6)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.