Check Axios Malware
Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026).
When to Use
✅ USE this skill when:
- "是否中了恶意axios" / "npm supply-chain attack check"
- "check if plain-crypto-js is installed"
- "OpenClaw 2026.3.28 安全排查"
- "本机是否被供应链攻击感染"
❌ DON'T use this skill when:
- Remote host scanning → use nmap / nuclei
- Static code analysis → use semgrep
- Binary malware analysis → use VirusTotal
Background
In March 2026, axios versions 1.14.1 and 0.30.4 were trojaned via plain-crypto-js@4.2.1 as a dependency. The malicious postinstall script delivered a cross-platform backdoor. OpenClaw 2026.3.28 used axios@^1.7.4 in optionalDependencies and was at risk during the attack window.
IOC Summary
| Indicator | Safe | Compromised |
|---|---|---|
plain-crypto-js dir | absent | present = infected |
| axios version | any except 1.14.1 / 0.30.4 | 1.14.1 or 0.30.4 |
| suspicious process | none | curl/wget/nc in background |
Commands
1. Check for plain-crypto-js (primary IOC)
find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null
Any result = compromised. Stop here and rotate all credentials.
2. Scan all installed axios versions
find / -path "*/node_modules/axios/package.json" 2>/dev/null | \
xargs -I{} python3 -c "
import json
d = json.load(open('{}'))
v = d.get('version','?')
flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe'
print(flag, v, '{}')
" 2>/dev/null
3. Check OpenClaw version
python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found"
2026.3.28 = at-risk version (check axios version above to confirm).
4. Check for suspicious background processes
ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep
5. Check established network connections
ss -tnp | grep ESTABLISHED
6. Check for persistence (crontab, rc files)
crontab -l 2>/dev/null
tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null
Incident Response
If any IOC is found:
- Rotate all credentials on this machine (API keys, SSH keys, tokens)
- Remove the malicious package:
rm -rf /path/to/plain-crypto-js - Reinstall clean dependencies:
rm -rf node_modules && npm install - Restart OpenClaw:
openclaw daemon restart - Review recent outbound connections in system logs
Reference
Advisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80