Description

Checks for the March 2026 axios supply chain attack — two malicious npm versions ([email protected] and [email protected]) that injected a RAT dropper via a fake depen...

README (SKILL.md)

axios Supply Chain Attack — Detection & Remediation

Name: Axios Security Check
Author: vjumpkung

In March 2026, two malicious versions of axios were published to npm:

[email protected] (live ~2h 53m)
[email protected] (live ~2h 15m)

Both injected a fake dependency [email protected] that ran a postinstall script deploying a cross-platform remote access trojan (RAT). The malware then deleted itself and replaced its own package.json with a clean decoy to evade detection.

Safe versions: [email protected] (1.x users) · [email protected] (0.x users)

Step 1 — Check if the project is affected

Run these checks in the project directory:

# Check package-lock.json or yarn.lock for the malicious versions
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
grep -A1 '"axios"' package-lock.json 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"

# Check if plain-crypto-js was ever installed
# (its presence alone means the dropper ran — it's NEVER a dep of legitimate axios)
ls node_modules/plain-crypto-js 2>/dev/null && echo "⚠️  POTENTIALLY COMPROMISED"

If plain-crypto-js/ exists in node_modules, the dropper executed. The npm list version reported may show 4.2.0 (not 4.2.1) due to the anti-forensics swap — the directory presence is the reliable signal.

Step 2 — Check for RAT artifacts on the system

# macOS
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "⚠️  COMPROMISED (macOS RAT binary)"

# Linux
ls -la /tmp/ld.py 2>/dev/null && echo "⚠️  COMPROMISED (Linux Python RAT)"

# Windows (run in cmd.exe or PowerShell)
dir "%PROGRAMDATA%\wt.exe" 2>nul && echo "COMPROMISED (Windows persistent RAT)"

On Windows, %PROGRAMDATA%\wt.exe is a persistent copy of PowerShell left behind — it survives package removal and reboots.

Step 3 — Check CI/CD pipeline logs

Search CI run logs for any npm install or npm ci that may have pulled the malicious versions during the window 2026-03-31 00:21 UTC – 2026-03-31 03:15 UTC. Any pipeline run in that window that installed axios should be treated as compromised.

Reading the results

Finding	Meaning
`[email protected]` or `[email protected]` in lock file	Was exposed; check further
`node_modules/plain-crypto-js/` exists	Dropper ran — treat as compromised
RAT artifact found	System is compromised — rebuild
None of the above	No evidence of compromise

Remediation

If no compromise evidence found (precautionary cleanup)

# 1. Pin to safe version
npm install [email protected]        # 1.x users
npm install [email protected]        # 0.x users

# 2. Lock against transitive re-resolution (add to package.json)
# "overrides": { "axios": "1.14.0" },
# "resolutions": { "axios": "1.14.0" }

# 3. Remove plain-crypto-js if present
rm -rf node_modules/plain-crypto-js
npm install --ignore-scripts

If compromise is confirmed (RAT artifact found or dropper ran)

Do NOT attempt to clean in place. The system must be treated as fully compromised.

Rebuild from a known-good state — do not trust the affected machine
Rotate all credentials accessible at install time:
- npm tokens
- AWS / GCP / Azure access keys and service account keys
- SSH private keys
- .env file secrets (DB passwords, API keys, JWT secrets)
- CI/CD secrets injected as environment variables
- GitHub PATs / deployment keys
Audit CI/CD — for every pipeline run that installed the malicious version, rotate all secrets that were in scope during that run

Block the C2 domain (as a precaution on any potentially exposed network):

# Linux/macOS — /etc/hosts
echo "0.0.0.0 sfrclak.com" | sudo tee -a /etc/hosts

# Linux firewall
sudo iptables -A OUTPUT -d 142.11.206.73 -j DROP

Going forward — prevention

# In CI/CD, always use --ignore-scripts to block postinstall hooks
npm ci --ignore-scripts

Add to package.json to prevent accidental upgrade to malicious range:

{
  "overrides": { "axios": "1.14.0" }
}

Consider tools like StepSecurity Harden-Runner for CI/CD network egress monitoring.

Indicators of Compromise (IOC Reference)

Type	Value
Malicious package	`[email protected]` · shasum `2553649f232204966871cea80a5d0d6adc700ca`
Malicious package	`[email protected]` · shasum `d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71`
Malicious dep	`[email protected]` · shasum `07d889e2dadce6f3910dcbc253317d28ca61c766`
C2 domain	`sfrclak.com`
C2 IP	`142.11.206.73`
C2 URL	`http://sfrclak.com:8000/6202033`
macOS artifact	`/Library/Caches/com.apple.act.mond`
Windows artifact	`%PROGRAMDATA%\wt.exe`
Linux artifact	`/tmp/ld.py`
Safe 1.x version	`[email protected]` · shasum `7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb`

Output format

When running a check, produce a structured report:

## axios Security Check Report

**Project:** \x3Cpath or name>
**Date checked:** \x3Cdate>

### Findings
- [ ] axios version in dependencies: \x3Cversion found or "not found">
- [ ] plain-crypto-js in node_modules: \x3Cyes/no>
- [ ] macOS RAT artifact: \x3Cfound/not found>
- [ ] Linux RAT artifact: \x3Cfound/not found>
- [ ] Windows RAT artifact: \x3Cfound/not found>

### Verdict
\x3CCLEAN | POTENTIALLY EXPOSED | COMPROMISED>

### Recommended Actions
\x3Clist specific next steps based on findings>

Usage Guidance

This is a coherent, purpose-built guide for detecting and responding to the axios/npm compromise. Before using it: (1) do not let an agent run the remediation commands autonomously — require human approval; (2) run checks in an isolated environment or on a copy/backups to avoid contaminating evidence; (3) commands like rm -rf, iptables, and editing /etc/hosts require sudo and can be disruptive — review them before execution; (4) when compromise is confirmed, follow your org's incident-response process (preserve logs, rebuild from known-good media, rotate secrets listed in the guide); (5) verify IOCs (hashes, domain/IP) independently before blocking or taking network action. If you want stricter safety, restrict the skill from autonomous invocation or convert it into a read-only checklist that only suggests commands rather than running them.

Capability Analysis

Type: OpenClaw Skill Name: axios-security-check Version: 1.0.0 The skill is a defensive security tool designed to detect and remediate a specific axios supply chain attack. It provides instructions for the agent to check for malicious package versions, identify RAT artifacts (such as /tmp/ld.py and %PROGRAMDATA%\wt.exe), and implement remediation steps like credential rotation and C2 blocking (sfrclak.com). The logic is consistent with its stated purpose and contains no evidence of malicious intent or harmful prompt injection.

Capability Assessment

✓ Purpose & Capability

The skill name/description match the SKILL.md contents. All checks and remediation steps (lockfile checks, node_modules check, system artifact paths, CI log search, credential rotation, blocking C2) are relevant to investigating a supply-chain RAT introduced by malicious axios/npm packages.

ℹ Instruction Scope

Instructions explicitly direct reading project files (lockfiles, node_modules) and specific system paths (/Library/Caches/com.apple.act.mond, /tmp/ld.py, %PROGRAMDATA%\wt.exe), and include commands that modify system state (rm -rf, echo to /etc/hosts, iptables). Those actions are appropriate for remediation guidance, but they are destructive and require admin privileges — they should be run by a human or incident-response automation with explicit authorization. The SKILL.md does not request unrelated secrets or other system files.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files; nothing is downloaded or written by an installer step, minimizing supply-chain install risk.

✓ Credentials

The skill requests no environment variables or credentials. The remediation guidance correctly calls for rotating credentials if a compromise is confirmed; this is proportional to a post-compromise response and not a precondition of the skill.

ℹ Persistence & Privilege

always:false (good). Model invocation is allowed (default). Because the instructions include potentially-destructive system commands, granting an agent autonomous execution rights would increase risk; prefer human confirmation or restricted automation when performing these steps.

Version History

v1.0.0

Initial release — provides comprehensive detection and guidance for the March 2026 axios supply chain attack. - Detects presence of malicious [email protected] and [email protected], as well as the dropper [email protected]. - Guides users through local and system artifact checks across macOS, Linux, and Windows. - Offers clear remediation steps for both unexposed and confirmed compromises, including credential rotation advice. - Includes detailed indicators of compromise (IOCs) and safe upgrade instructions. - Outputs a structured security check report summarizing findings and recommendations.

Metadata

Slug axios-security-check

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Axios Security Check?

Checks for the March 2026 axios supply chain attack — two malicious npm versions ([email protected] and [email protected]) that injected a RAT dropper via a fake depen... It is an AI Agent Skill for Claude Code / OpenClaw, with 120 downloads so far.

How do I install Axios Security Check?

Run "/install axios-security-check" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Axios Security Check free?

Yes, Axios Security Check is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Axios Security Check support?

Axios Security Check is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Axios Security Check?

It is built and maintained by Chanrich Pisitjing (@vjumpkung); the current version is v1.0.0.

More Skills

Axios Security Check