🎁 Get the FREE AI Skills Starter GuideSubscribe →
BytesAgainBytesAgain
🦀 ClawHub

Check Axios Malware

by @tjefferson

Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via plain-crypto-js@4.2.1). Use when: user asks about...

Versionv1.0.0
Downloads354
TERMINAL
clawhub install check-axios-malware

📖 About This Skill


name: check-axios-malware description: "Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via plain-crypto-js@4.2.1). Use when: user asks about npm security, axios malware, supply-chain infection check, or OpenClaw 2026.3.28 safety. NOT for: remote host scanning, static code analysis." metadata: {"openclaw":{"emoji":"🔍","requires":{"bins":["find","ps","ss","crontab","python3"]}}}

Check Axios Malware

Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026).

When to Use

USE this skill when:

  • "是否中了恶意axios" / "npm supply-chain attack check"
  • "check if plain-crypto-js is installed"
  • "OpenClaw 2026.3.28 安全排查"
  • "本机是否被供应链攻击感染"
  • DON'T use this skill when:

  • Remote host scanning → use nmap / nuclei
  • Static code analysis → use semgrep
  • Binary malware analysis → use VirusTotal
  • Background

    In March 2026, axios versions 1.14.1 and 0.30.4 were trojaned via plain-crypto-js@4.2.1 as a dependency. The malicious postinstall script delivered a cross-platform backdoor. OpenClaw 2026.3.28 used axios@^1.7.4 in optionalDependencies and was at risk during the attack window.

    IOC Summary

    | Indicator | Safe | Compromised | |-----------|------|-------------| | plain-crypto-js dir | absent | present = infected | | axios version | any except 1.14.1 / 0.30.4 | 1.14.1 or 0.30.4 | | suspicious process | none | curl/wget/nc in background |

    Commands

    1. Check for plain-crypto-js (primary IOC)

    find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null
    

    Any result = compromised. Stop here and rotate all credentials.

    2. Scan all installed axios versions

    find / -path "*/node_modules/axios/package.json" 2>/dev/null | \
      xargs -I{} python3 -c "
    import json
    d = json.load(open('{}'))
    v = d.get('version','?')
    flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe'
    print(flag, v, '{}')
    " 2>/dev/null
    

    3. Check OpenClaw version

    python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found"
    

    2026.3.28 = at-risk version (check axios version above to confirm).

    4. Check for suspicious background processes

    ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep
    

    5. Check established network connections

    ss -tnp | grep ESTABLISHED
    

    6. Check for persistence (crontab, rc files)

    crontab -l 2>/dev/null
    tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null
    

    Incident Response

    If any IOC is found:

    1. Rotate all credentials on this machine (API keys, SSH keys, tokens) 2. Remove the malicious package: rm -rf /path/to/plain-crypto-js 3. Reinstall clean dependencies: rm -rf node_modules && npm install 4. Restart OpenClaw: openclaw daemon restart 5. Review recent outbound connections in system logs

    Reference

    Advisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80

    ⚡ When to Use

    TriggerAction
    - "是否中了恶意axios" / "npm supply-chain attack check"
    - "check if plain-crypto-js is installed"
    - "OpenClaw 2026.3.28 安全排查"
    - "本机是否被供应链攻击感染"
    ❌ **DON'T use this skill when:**
    - Remote host scanning → use nmap / nuclei
    - Static code analysis → use semgrep
    - Binary malware analysis → use VirusTotal