Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026).
✅ USE this skill when:
❌ DON'T use this skill when:
In March 2026, axios versions 1.14.1 and 0.30.4 were trojaned via plain-crypto-js@4.2.1 as a dependency. The malicious postinstall script delivered a cross-platform backdoor. OpenClaw 2026.3.28 used axios@^1.7.4 in optionalDependencies and was at risk during the attack window.
| Indicator | Safe | Compromised |
|---|---|---|
| ----------- | ------ | ------------- |
plain-crypto-js dir | absent | present = infected |
| axios version | any except 1.14.1 / 0.30.4 | 1.14.1 or 0.30.4 |
| suspicious process | none | curl/wget/nc in background |
find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null
Any result = compromised. Stop here and rotate all credentials.
find / -path "*/node_modules/axios/package.json" 2>/dev/null | \
xargs -I{} python3 -c "
import json
d = json.load(open('{}'))
v = d.get('version','?')
flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe'
print(flag, v, '{}')
" 2>/dev/null
python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found"
2026.3.28 = at-risk version (check axios version above to confirm).
ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep
ss -tnp | grep ESTABLISHED
crontab -l 2>/dev/null
tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null
If any IOC is found:
rm -rf /path/to/plain-crypto-jsrm -rf node_modules && npm installopenclaw daemon restartAdvisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80
共 1 个版本