← Back to Skills Marketplace
122
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install check-axios-malware
Description
Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via [email protected]). Use when: user asks about...
README (SKILL.md)
Check Axios Malware
Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026).
When to Use
✅ USE this skill when:
- "是否中了恶意axios" / "npm supply-chain attack check"
- "check if plain-crypto-js is installed"
- "OpenClaw 2026.3.28 安全排查"
- "本机是否被供应链攻击感染"
❌ DON'T use this skill when:
- Remote host scanning → use nmap / nuclei
- Static code analysis → use semgrep
- Binary malware analysis → use VirusTotal
Background
In March 2026, axios versions 1.14.1 and 0.30.4 were trojaned via [email protected] as a dependency. The malicious postinstall script delivered a cross-platform backdoor. OpenClaw 2026.3.28 used axios@^1.7.4 in optionalDependencies and was at risk during the attack window.
IOC Summary
| Indicator | Safe | Compromised |
|---|---|---|
plain-crypto-js dir |
absent | present = infected |
| axios version | any except 1.14.1 / 0.30.4 | 1.14.1 or 0.30.4 |
| suspicious process | none | curl/wget/nc in background |
Commands
1. Check for plain-crypto-js (primary IOC)
find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null
Any result = compromised. Stop here and rotate all credentials.
2. Scan all installed axios versions
find / -path "*/node_modules/axios/package.json" 2>/dev/null | \
xargs -I{} python3 -c "
import json
d = json.load(open('{}'))
v = d.get('version','?')
flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe'
print(flag, v, '{}')
" 2>/dev/null
3. Check OpenClaw version
python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found"
2026.3.28 = at-risk version (check axios version above to confirm).
4. Check for suspicious background processes
ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep
5. Check established network connections
ss -tnp | grep ESTABLISHED
6. Check for persistence (crontab, rc files)
crontab -l 2>/dev/null
tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null
Incident Response
If any IOC is found:
- Rotate all credentials on this machine (API keys, SSH keys, tokens)
- Remove the malicious package:
rm -rf /path/to/plain-crypto-js - Reinstall clean dependencies:
rm -rf node_modules && npm install - Restart OpenClaw:
openclaw daemon restart - Review recent outbound connections in system logs
Reference
Advisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80
Usage Guidance
This skill is coherent for a local compromise check. Before running: (1) run as an account with appropriate permissions (root for a full scan) or be prepared for many permission-denied messages; (2) treat any positive IOC as high-severity but verify results before running destructive cleanup commands—backup important data and exports of logs first; (3) the find / command can be slow and resource‑heavy—consider narrowing the search to likely locations if needed; (4) rotating credentials and taking the host offline are sensible next steps if confirmed; (5) if you want automated, non-destructive analysis, consider first copying suspected files to an isolated host for analysis or using specialized incident-response tools.
Capability Analysis
Type: OpenClaw Skill
Name: check-axios-malware
Version: 1.0.0
The skill is a diagnostic tool designed to detect indicators of compromise (IOCs) related to a specific (hypothetical/future) axios supply-chain attack. It uses standard system utilities like 'find', 'ps', 'ss', and 'crontab' in SKILL.md to check for malicious directories, specific package versions, and suspicious network or process activity. No evidence of data exfiltration, obfuscation, or unauthorized execution was found.
Capability Assessment
Purpose & Capability
Name/description (scan local machine for axios/plain-crypto-js IOC) match the requested binaries and the commands in SKILL.md. Required tools (find, ps, ss, crontab, python3) are necessary for the provided checks; no unrelated credentials, binaries, or installation steps are requested.
Instruction Scope
Instructions are limited to local discovery: searching filesystem for package dirs and package.json files, enumerating processes and established connections, and checking crontab/rc files. They do not instruct exfiltration or sending results to external endpoints. Note: some commands (find / ...) are broad and can be IO‑heavy; the incident response steps include destructive actions (rm -rf node_modules) and service restart which are expected for cleanup but should be run only after confirmation/backups.
Install Mechanism
No install spec or downloaded artifacts — instruction-only skill. This minimizes risk from installation of third‑party code.
Credentials
No environment variables or credentials are requested. The SKILL.md uses $HOME implicitly (to check an OpenClaw package path), which is reasonable and expected for a local scan.
Persistence & Privilege
always:false and no instructions to persist itself or modify other skills/system-wide agent configuration. The skill recommends user actions (rotate credentials, remove files, restart daemon) but does not request elevated persistent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install check-axios-malware - After installation, invoke the skill by name or use
/check-axios-malware - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: scan local machine for axios supply-chain attack IOCs ([email protected], axios 1.14.1/0.30.4, March 2026)
Metadata
Frequently Asked Questions
What is Check Axios Malware?
Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via [email protected]). Use when: user asks about... It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.
How do I install Check Axios Malware?
Run "/install check-axios-malware" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Check Axios Malware free?
Yes, Check Axios Malware is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Check Axios Malware support?
Check Axios Malware is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Check Axios Malware?
It is built and maintained by Jeff (@tjefferson); the current version is v1.0.0.
More Skills