Check Axios Malware
by @tjefferson
Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via plain-crypto-js@4.2.1). Use when: user asks about...
clawhub install check-axios-malware📖 About This Skill
name: check-axios-malware description: "Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via plain-crypto-js@4.2.1). Use when: user asks about npm security, axios malware, supply-chain infection check, or OpenClaw 2026.3.28 safety. NOT for: remote host scanning, static code analysis." metadata: {"openclaw":{"emoji":"🔍","requires":{"bins":["find","ps","ss","crontab","python3"]}}}
Check Axios Malware
Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026).
When to Use
✅ USE this skill when:
❌ DON'T use this skill when:
Background
In March 2026, axios versions 1.14.1 and 0.30.4 were trojaned via plain-crypto-js@4.2.1 as a dependency. The malicious postinstall script delivered a cross-platform backdoor. OpenClaw 2026.3.28 used axios@^1.7.4 in optionalDependencies and was at risk during the attack window.
IOC Summary
| Indicator | Safe | Compromised |
|-----------|------|-------------|
| plain-crypto-js dir | absent | present = infected |
| axios version | any except 1.14.1 / 0.30.4 | 1.14.1 or 0.30.4 |
| suspicious process | none | curl/wget/nc in background |
Commands
1. Check for plain-crypto-js (primary IOC)
find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null
Any result = compromised. Stop here and rotate all credentials.
2. Scan all installed axios versions
find / -path "*/node_modules/axios/package.json" 2>/dev/null | \
xargs -I{} python3 -c "
import json
d = json.load(open('{}'))
v = d.get('version','?')
flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe'
print(flag, v, '{}')
" 2>/dev/null
3. Check OpenClaw version
python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found"
2026.3.28 = at-risk version (check axios version above to confirm).
4. Check for suspicious background processes
ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep
5. Check established network connections
ss -tnp | grep ESTABLISHED
6. Check for persistence (crontab, rc files)
crontab -l 2>/dev/null
tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null
Incident Response
If any IOC is found:
1. Rotate all credentials on this machine (API keys, SSH keys, tokens)
2. Remove the malicious package: rm -rf /path/to/plain-crypto-js
3. Reinstall clean dependencies: rm -rf node_modules && npm install
4. Restart OpenClaw: openclaw daemon restart
5. Review recent outbound connections in system logs
Reference
Advisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80