Which versions of v018-axios-cdntest are malicious?

The following npm versions of v018-axios-cdntest are flagged malicious: 1.0.2. Treat any of these as compromised.

How do I remediate v018-axios-cdntest if I installed it?

Remove v018-axios-cdntest from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is v018-axios-cdntest part of a known attack campaign?

Yes — v018-axios-cdntest is associated with the IN-MAL-2026-005288 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect v018-axios-cdntest in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking v018-axios-cdntest and packages like it before any post-install script runs.

Malicious package

v018-axios-cdntestnpm

Malicious code in v018-axios-cdntest (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5529

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall v018-axios-cdntest

What this malware does

[email protected] impersonates axios v0.18.0 (the bundle header reads /* axios v0.18.0 | (c) 2018 by Matt Zabriskie */ and the package.json description self-identifies as 'Axios library v0.18.0 with cryptojacker payload'). The main entry index.js is the legitimate axios bundle with an appended IIFE that reads document.cookie and exfiltrates it via XMLHttpRequest GET to https://webhook.site/ef6e7978-f936-4664-b3ff-296a250e1735?c=<cookie> whenever the bundle is loaded in a browser. The sibling xmr-min.js is a self-described 'Stealth Cryptojacker v3.0' that spawns Web Workers (using eval on postMessage data), mines Monero against a hardcoded wallet via pool.supportxmr.com:4444, and dynamically injects an additional <script> from https://cdn.jsdelivr.net/npm/[email protected]/index.js. Any application that bundles this package and ships it to end users will leak end-user cookies to the attacker's webhook and silently mine cryptocurrency in visitors' browsers.

Malicious versions

1 flagged

1.0.2

Indicators of compromise (SHA-256)

a591698b95bbe1180b694b6aac6d31e658b4fd1e0ba9941f7a9714e223a0ab79

Frequently asked questions

No. v018-axios-cdntest on npm has been identified as a malicious package (version 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005288

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection