check-axios-malware

# Check Axios Malware Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026). ## When to Use ✅ **USE this skill when:** - "是否中了恶意axios" / "npm supply-chain attack check" - "check if plain-crypto-js is installed" - "OpenClaw 2026.3.28 安全排查" - "本机是否被供应链攻击感染" ❌ **DON'T use this skill when:** - Remote host scanning → use nmap / nuclei - Static code analysis → use semgrep - Binary malware analysis → use VirusTotal ## Background In March 2026, axios versions **1.14.1** and **0.30.4** were trojaned via `plain-crypto-js@4.2.1` as a dependency. The malicious `postinstall` script delivered a cross-platform backdoor. OpenClaw `2026.3.28` used `axios@^1.7.4` in optionalDependencies and was at risk during the attack window. ## IOC Summary | Indicator | Safe | Compromised | |-----------|------|-------------| | `plain-crypto-js` dir | absent | **present = infected** | | axios version | any except 1.14.1 / 0.30.4 | 1.14.1 or 0.30.4 | | suspicious process | none | curl/wget/nc in background | ## Commands ### 1. Check for plain-crypto-js (primary IOC) ```bash find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null ``` Any result = **compromised**. Stop here and rotate all credentials. ### 2. Scan all installed axios versions ```bash find / -path "*/node_modules/axios/package.json" 2>/dev/null | \ xargs -I{} python3 -c " import json d = json.load(open('{}')) v = d.get('version','?') flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe' print(flag, v, '{}') " 2>/dev/null ``` ### 3. Check OpenClaw version ```bash python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found" ``` `2026.3.28` = at-risk version (check axios version above to confirm). ### 4. Check for suspicious background processes ```bash ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep ``` ### 5. Check established network connections ```bash ss -tnp | grep ESTABLISHED ``` ### 6. Check for persistence (crontab, rc files) ```bash crontab -l 2>/dev/null tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null ``` ## Incident Response If any IOC is found: 1. **Rotate all credentials** on this machine (API keys, SSH keys, tokens) 2. Remove the malicious package: `rm -rf /path/to/plain-crypto-js` 3. Reinstall clean dependencies: `rm -rf node_modules && npm install` 4. Restart OpenClaw: `openclaw daemon restart` 5. Review recent outbound connections in system logs ## Reference Advisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80