// npm package
axiosqqq
Promise based HTTP client for the browser and node.js
versions
2
maintainers
1
license
MIT
first publish
2026-05-18
publisher
caspianph
tarball
2,813,083 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-18
// exfil path
what is read → where it shipssteals
- ● Chromium logins
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> "name": "axiosqqq", > "main": "./dist/node/axios.cjs", > "jsdelivr": "dist/axios.min.js", > "unpkg": "dist/axios.min.js", > "require": "./dist/node/axios.cjs",
// offending code· @1.16.2· 3 files flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
- @1.16.2··AUTO-PUBLISHED·publisher: caspianphheuristic 75/100static flags 4llm benign (0.85) via ollamanew-publisher:8dhas-source-repoosv-flagged:MAL-2026-4493public-github-pushchild-process-spawnreads-chromium-credsreads-env-vars
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
// offending code· 3 files flaggedpatterns: 4
--- package/package.json (excerpt) --- { "name": "axiosqqq", "version": "1.16.2", "description": "Promise based HTTP client for the browser and node.js", "main": "./dist/node/axios.cjs", "module": "./index.js", "type": "module", "types": "index.d.ts", "jsdelivr": "dist/axios.min.js", "unpkg": "dist/axios.min.js", "typings": "./index.d.ts", "exports": { ".": { "types": { "require": "./index.d.cts", "default": "./index.d.ts" }, "bun": { "require": "./dist/node/axios.cjs", "default": "./index.js" }, "react-native": { "require": "./dist/browser/axios.cjs", "default": "./dist/esm/axios.js" }, "browser": { "require": "./dist/browser/axios.cjs", "default": "./index.js" }, "default": { "require": "./dist/node/axios.cjs", "default": "./index.js" } }, "./lib/adapters/http.js": "./lib/adapters/http.js", "./lib/adapters/xhr.js": "./lib/adapters/xhr.js", "./unsafe/*": "./lib/*", "./unsafe/core/settle.js": "./lib/core/settle.js", "./unsafe/core/buildFullPath.js": "./lib/core/buildFullPath.js", "./unsafe/helpers/isAbsoluteURL.js": "./lib/helpers/isAbsoluteURL.js", "./unsafe/helpers/buildURL.js": "./lib/helpers/buildURL.js", "./unsafe/helpers/combineURLs.js": "./lib/helpers/combineURLs.js", "./unsafe/adapters/http.js": "./lib/adapters/http.js", "./unsafe/adapters/xhr.js": "./lib/adapters/xhr.js", "./unsafe/utils.js": ". --- package/lib/utils.js (excerpt) --- 'use strict'; import bind from './helpers/bind.js'; // utils is a library of generic helper functions non-specific to axios const { toString } = Object.prototype; const { getPrototypeOf } = Object; const { iterator, toStringTag } = Symbol; const kindOf = ((cache) => (thing) => { const str = toString.call(thing); return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase()); })(Object.create(null)); const kindOfTest = (type) => { type = type.toLowerCase(); return (thing) => kindOf(thing) === type; }; const typeOfTest = (type) => (thing) => typeof thing === type; /** * Determine if a value is a non-null object * * @param {Object} val The value to test * * @returns {boolean} True if value is an Array, otherwise false */ const { isArray } = Array; /** * Determine if a value is undefined * * @param {*} val The value to test * * @returns {boolean} True if the value is undefined, otherwise false */ const isUndefined = typeOfTest('undefined'); /** * Determine if a value is a Buffer * * @param {*} val The value to test * * @returns {boolean} True if value is a Buffer, otherwise false */ function isBuffer(val) { return ( val !== null && !isUndefined(val) && val.constructor !== null && !isUndefined(val.constructor) && isFunction(val.constructor.isBuffer) && val.constructor.isBuffer(val) ); } /** * Determine if a value is an ArrayBuffer * * @param {*} val The value to test * * @returns {boolean} True if value is an --- package/lib/helpers/cookies.js (excerpt) --- import utils from '../utils.js'; import platform from '../platform/index.js'; export default platform.hasStandardBrowserEnv ? // Standard browser envs support document.cookie { write(name, value, expires, path, domain, secure, sameSite) { if (typeof document === 'undefined') return; const cookie = [`${name}=${encodeURIComponent(value)}`]; if (utils.isNumber(expires)) { cookie.push(`expires=${new Date(expires).toUTCString()}`); } if (utils.isString(path)) { cookie.push(`path=${path}`); } if (utils.isString(domain)) { cookie.push(`domain=${domain}`); } if (secure === true) { cookie.push('secure'); } if (utils.isString(sameSite)) { cookie.push(`SameSite=${sameSite}`); } document.cookie = cookie.join('; '); }, read(name) { if (typeof document === 'undefined') return null; // Match name=value by splitting on the semicolon separator instead of building a // RegExp from `name` — interpolating an unescaped string into a RegExp would let // metacharacters (e.g. `.+?` in an attacker-influenced cookie name) cause ReDoS or // match the wrong cookie. Browsers may serialize cookie pairs as either ";" or // "; ", so ignore optional whitespace before each cookie name. const cookies = document.cookie.split(';'); for (let i = 0; i < cookies.length; i+ --- bundled output (OSV-MAL flagged — LLM scope expansion) --- --- dist/axios.js (bundled) --- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */ (function (global, factory) { typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() : typeof define === 'function' && define.amd ? define(factory) : (global = typeof globalThis !== 'undefined' ? globalThis : global || self, global.axios = factory()); })(this, (function () { 'use strict'; function _OverloadYield(e, d) { this.v = e, this.k = d; } function _arrayLikeToArray(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; } function _arrayWithHoles(r) { if (Array.isArray(r)) return r; } function _arrayWithoutHoles(r) { if (Array.isArray(r)) return _arrayLikeToArray(r); } function _assertThisInitialized(e) { if (void 0 === e) throw new ReferenceError("this hasn't been initialised - super() hasn't been called"); return e; } function _asyncGeneratorDelegate(t) { var e = {}, n = false; function pump(e, r) { return n = true, r = new Promise(function (n) { n(t[e](r)); }), { done: false, value: new _OverloadYield(r, 1) }; } return e["undefined" != typeof Symbol && Symbol.iterator || "@@iterator"] = function () { return this; }, e.next = function (t) { return n ? (n = false, t) : pump("next", t); }, "function" == typeof t.throw && (e.throw = function (t) { if (n) throw n = false, t; return pump("throw", t); }), "function" == typeof t.return && (e.return = function (t) { return n ? (n = false, t) : pump("return", t); }), e; } function _asyncIterator(r) { var n, t, o, e = 2; for ("undefined" != typeof Symbol && (t = Symbol.asyncIterator, o = Symbol.iterator); e--;) { if (t && null != (n = r[t])) return n.call(r); if (o && null != (n = r[o])) return new AsyncFromSyncIterator(n.call(r)); t --- dist/axios.min.js (bundled) --- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */ !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).axios=t()}(this,function(){"use strict";function e(e,t){this.v=e,this.k=t}function t(e,t){(null==t||t>e.length)&&(t=e.length);for(var n=0,r=Array(t);n<t;n++)r[n]=e[n];return r}function n(t){var n={},r=!1;function o(n,o){return r=!0,o=new Promise(function(e){e(t[n](o))}),{done:!1,value:new e(o,1)}}return n["undefined"!=typeof Symbol&&Symbol.iterator||"@@iterator"]=function(){return this},n.next=function(e){return r?(r=!1,e):o("next",e)},"function"==typeof t.throw&&(n.throw=function(e){if(r)throw r=!1,e;return o("throw",e)}),"function"==typeof t.return&&(n.return=function(e){return r?(r=!1,e):o("return",e)}),n}function r(e){var t,n,r,i=2;for("undefined"!=typeof Symbol&&(n=Symbol.asyncIterator,r=Symbol.iterator);i--;){if(n&&null!=(t=e[n]))return t.call(e);if(r&&null!=(t=e[r]))return new o(t.call(e));n="@@asyncIterator",r="@@iterator"}throw new TypeError("Object is not async iterable")}function o(e){function t(e){if(Object(e)!==e)return Promise.reject(new TypeError(e+" is not an object."));var t=e.done;return Promise.resolve(e.value).then(function(e){return{value:e,done:t}})}return o=function(e){this.s=e,this.n=e.next},o.prototype={s:null,n:null,next:function(){return t(this.n.apply(this.s,arguments))},return:function(e){var n=this.s.return;return void 0===n?Promise.resolve({value:e,done:!0}):t(n.apply(this.s,arguments))},throw:function(e){var n=this.s.return;return void 0===n?Promise.reject(e):t(n.apply(this.s,arguments))}},new o(e)}function i(e,t,n,r,o,i,a){try{var u=e[i](a),s=u.value}catch(e){return void n(e)}u.done?t(s):Promise.resolve(s).then(r,o)}function a(e){return function(){var t=this,n=arguments;return new Promise(function(r,o){var a=e.apply(t,n);function u(e){i(a,r,o,u,s,"next",e)}function s(e){i(a,r,o --- dist/node/axios.cjs (bundled) --- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */ 'use strict'; var FormData$1 = require('form-data'); var crypto = require('crypto'); var url = require('url'); var HttpsProxyAgent = require('https-proxy-agent'); var http = require('http'); var https = require('https'); var http2 = require('http2'); var util = require('util'); var path = require('path'); var followRedirects = require('follow-redirects'); var zlib = require('zlib'); var stream = require('stream'); var events = require('events'); /** * Create a bound version of a function with a specified `this` context * * @param {Function} fn - The function to bind * @param {*} thisArg - The value to be passed as the `this` parameter * @returns {Function} A new function that will call the original function with the specified `this` context */ function bind(fn, thisArg) { return function wrap() { return fn.apply(thisArg, arguments); }; } // utils is a library of generic helper functions non-specific to axios const { toString } = Object.prototype; const { getPrototypeOf } = Object; const { iterator, toStringTag } = Symbol; const kindOf = (cache => thing => { const str = toString.call(thing); return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase()); })(Object.create(null)); const kindOfTest = type => { type = type.toLowerCase(); return thing => kindOf(thing) === type; }; const typeOfTest = type => thing => typeof thing === type; /** * Determine if a value is a non-null object * * @param {Object} val The value to test * * @returns {boolean} True if value is an Array, otherwise false */ const { isArray } = Array; /** * Determine if a value is undefined * * @param {*} val The value to test * * @returns {boolean} True if the value is undefined, otherwise false */ const isUndefined = typeOfTest('undefined'); /** * Determine if a value is a Buffer * * @param {*} val The value to test * * @returns {boolean} True if value is a Buffer, other --- dist/esm/axios.js (bundled) --- /*! Axios v1.16.1 Copyright (c) 2026 Matt Zabriskie and contributors */ /** * Create a bound version of a function with a specified `this` context * * @param {Function} fn - The function to bind * @param {*} thisArg - The value to be passed as the `this` parameter * @returns {Function} A new function that will call the original function with the specified `this` context */ function bind(fn, thisArg) { return function wrap() { return fn.apply(thisArg, arguments); }; } // utils is a library of generic helper functions non-specific to axios const { toString } = Object.prototype; const { getPrototypeOf } = Object; const { iterator, toStringTag } = Symbol; const kindOf = ((cache) => (thing) => { const str = toString.call(thing); return cache[str] || (cache[str] = str.slice(8, -1).toLowerCase()); })(Object.create(null)); const kindOfTest = (type) => { type = type.toLowerCase(); return (thing) => kindOf(thing) === type; }; const typeOfTest = (type) => (thing) => typeof thing === type; /** * Determine if a value is a non-null object * * @param {Object} val The value to test * * @returns {boolean} True if value is an Array, otherwise false */ const { isArray } = Array; /** * Determine if a value is undefined * * @param {*} val The value to test * * @returns {boolean} True if the value is undefined, otherwise false */ const isUndefined = typeOfTest('undefined'); /** * Determine if a value is a Buffer * * @param {*} val The value to test * * @returns {boolean} True if value is a Buffer, otherwise false */ function isBuffer(val) { return ( val !== null && !isUndefined(val) && val.constructor !== null && !isUndefined(val.constructor) && isFunction$1(val.constructor.isBuffer) && val.constructor.isBuffer(val) ); } /** * Determine if a value is an ArrayBuffer * *
