You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm posting this to flag a pattern I found while researching supply chain risk on high-download npm packages with maintenance gaps. This affects node-fetch and at least two other JavaScript HTTP client libraries.
The Pattern
An account called nthbotast (created February 27, 2026) has submitted 160 PRs across multiple repositories in 31 days. The account has 0 followers, no bio, no company, and 31 repositories (all forks).
The PRs specifically target JavaScript HTTP infrastructure:
node-fetch (this repo): 9 PRs, March 2-8
nodejs/undici: 12 PRs, March 4-17
axios/axios: 8 PRs, March 3-8
lodash/lodash: 15 PRs, March 2-22
Also: tektoncd/pipeline, up-for-grabs.net, and others
On each repo, the contribution pattern follows the same progression: documentation PRs first, then type/test changes, then source code modifications.
Security-Relevant Source Code Changes
I reviewed the source code PRs across all four libraries. On the three HTTP client libraries, the source code changes specifically target proxy and credential handling:
node-fetch #1878 — Adds code to silently strip cookie, proxy-authorization, host, and all sec-* headers from outgoing requests. While this aligns with the browser Fetch spec's "forbidden headers" list, node-fetch is a server-side HTTP client where these headers are intentionally set for authenticated API calls and proxy environments. This would be a breaking behavioral change for production users.
nodejs/undici #4860 — Modified lib/dispatcher/env-http-proxy-agent.js, the proxy connection handler. The initial version of this PR would have defaulted HTTPS proxy connections to plaintext HTTP — a TLS downgrade. Maintainer @metcoder95 caught this during review. The PR was closed without merge.
axios/axios #7479 — Bumps proxy-from-env from v1 to v2 and modifies the import in lib/adapters/http.js (the core HTTP adapter), changing proxy resolution logic. This was closed without merge.
lodash/lodash — By contrast, the 4 source code PRs on lodash (a utility library, not an HTTP client) are legitimate improvements that actually strengthen prototype pollution defenses.
Current Impact
No source code from this account has been merged on node-fetch, undici, or lodash. On undici, the maintainer review process caught the TLS downgrade issue. On node-fetch and lodash, nothing has been merged because no maintainer is actively reviewing PRs.
One documentation PR was merged on axios (#7478 — a JSDoc comment correction with zero functional change).
What I Am NOT Saying
I am not claiming this account is malicious. The code changes reviewed are technically spec-compliant. This pattern could indicate:
An AI agent being used for automated profile building across popular repositories
A developer using AI tools to generate spec-compliance fixes at scale
Legitimate contributions from someone working very quickly
The PR descriptions on axios reference "cubic," suggesting AI-assisted generation.
Why This Warrants Attention
The combination of factors is what matters:
This repo has 131M weekly npm downloads and has not had a maintainer commit in 32 months
The CI pipeline auto-publishes to npm on merge to main or 2.x via semantic-release
No CODEOWNERS file or visible required review policy exists
The specific code paths targeted (authentication headers, proxy connections) are exactly where credential theft or traffic interception would be implemented in a supply chain attack
The September 2025 npm supply chain attack compromised packages with 2.6B weekly downloads through a phished maintainer account. This repo has a similar risk profile: high downloads, absent maintainers, automated publishing
Separately, another account (theluckystrike, created 2019 but with only 2 PRs from 2019-2024 followed by 1,726 PRs in March 2026 alone) also submitted PRs to this repo in the same timeframe. That account's activity is primarily mass URL updates and dependency bumps across hundreds of Chrome extension repositories — a different pattern, but the sudden velocity change on a dormant account is notable.
If the org is no longer able to maintain this repo, consider archiving it with a README notice directing users to Node.js built-in fetch, or transferring to a stewardship organization
Data Sources
All findings are based on public GitHub API data:
Account creation dates and PR counts via GitHub Search API
PR file changes via GitHub Pulls API
Commit history via GitHub Repos API
I'm happy to share the full audit methodology if any maintainer wants to review it.
Summary
I'm posting this to flag a pattern I found while researching supply chain risk on high-download npm packages with maintenance gaps. This affects node-fetch and at least two other JavaScript HTTP client libraries.
The Pattern
An account called nthbotast (created February 27, 2026) has submitted 160 PRs across multiple repositories in 31 days. The account has 0 followers, no bio, no company, and 31 repositories (all forks).
The PRs specifically target JavaScript HTTP infrastructure:
On each repo, the contribution pattern follows the same progression: documentation PRs first, then type/test changes, then source code modifications.
Security-Relevant Source Code Changes
I reviewed the source code PRs across all four libraries. On the three HTTP client libraries, the source code changes specifically target proxy and credential handling:
node-fetch #1878 — Adds code to silently strip
cookie,proxy-authorization,host, and allsec-*headers from outgoing requests. While this aligns with the browser Fetch spec's "forbidden headers" list, node-fetch is a server-side HTTP client where these headers are intentionally set for authenticated API calls and proxy environments. This would be a breaking behavioral change for production users.nodejs/undici #4860 — Modified
lib/dispatcher/env-http-proxy-agent.js, the proxy connection handler. The initial version of this PR would have defaulted HTTPS proxy connections to plaintext HTTP — a TLS downgrade. Maintainer @metcoder95 caught this during review. The PR was closed without merge.axios/axios #7479 — Bumps
proxy-from-envfrom v1 to v2 and modifies the import inlib/adapters/http.js(the core HTTP adapter), changing proxy resolution logic. This was closed without merge.lodash/lodash — By contrast, the 4 source code PRs on lodash (a utility library, not an HTTP client) are legitimate improvements that actually strengthen prototype pollution defenses.
Current Impact
No source code from this account has been merged on node-fetch, undici, or lodash. On undici, the maintainer review process caught the TLS downgrade issue. On node-fetch and lodash, nothing has been merged because no maintainer is actively reviewing PRs.
One documentation PR was merged on axios (#7478 — a JSDoc comment correction with zero functional change).
What I Am NOT Saying
I am not claiming this account is malicious. The code changes reviewed are technically spec-compliant. This pattern could indicate:
The PR descriptions on axios reference "cubic," suggesting AI-assisted generation.
Why This Warrants Attention
The combination of factors is what matters:
Separately, another account (theluckystrike, created 2019 but with only 2 PRs from 2019-2024 followed by 1,726 PRs in March 2026 alone) also submitted PRs to this repo in the same timeframe. That account's activity is primarily mass URL updates and dependency bumps across hundreds of Chrome extension repositories — a different pattern, but the sudden velocity change on a dormant account is notable.
Recommendations
src/request.js,src/response.js, andsrc/body.jsData Sources
All findings are based on public GitHub API data:
I'm happy to share the full audit methodology if any maintainer wants to review it.