← 返回 Skills 市场

Check Axios Malware

Name: Check Axios Malware
Author: tjefferson

作者 Jeff · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

122

总下载

当前安装

版本数

在 OpenClaw 中安装

/install check-axios-malware

功能描述

Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via [email protected]). Use when: user asks about...

使用说明 (SKILL.md)

Check Axios Malware

Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026).

When to Use

✅ USE this skill when:

"是否中了恶意axios" / "npm supply-chain attack check"
"check if plain-crypto-js is installed"
"OpenClaw 2026.3.28 安全排查"
"本机是否被供应链攻击感染"

❌ DON'T use this skill when:

Remote host scanning → use nmap / nuclei
Static code analysis → use semgrep
Binary malware analysis → use VirusTotal

Background

In March 2026, axios versions 1.14.1 and 0.30.4 were trojaned via [email protected] as a dependency. The malicious postinstall script delivered a cross-platform backdoor. OpenClaw 2026.3.28 used axios@^1.7.4 in optionalDependencies and was at risk during the attack window.

IOC Summary

Indicator	Safe	Compromised
`plain-crypto-js` dir	absent	present = infected
axios version	any except 1.14.1 / 0.30.4	1.14.1 or 0.30.4
suspicious process	none	curl/wget/nc in background

Commands

1. Check for plain-crypto-js (primary IOC)

find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null

Any result = compromised. Stop here and rotate all credentials.

2. Scan all installed axios versions

find / -path "*/node_modules/axios/package.json" 2>/dev/null | \
  xargs -I{} python3 -c "
import json
d = json.load(open('{}'))
v = d.get('version','?')
flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe'
print(flag, v, '{}')
" 2>/dev/null

3. Check OpenClaw version

python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found"

2026.3.28 = at-risk version (check axios version above to confirm).

4. Check for suspicious background processes

ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep

5. Check established network connections

ss -tnp | grep ESTABLISHED

6. Check for persistence (crontab, rc files)

crontab -l 2>/dev/null
tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null

Incident Response

If any IOC is found:

Rotate all credentials on this machine (API keys, SSH keys, tokens)
Remove the malicious package: rm -rf /path/to/plain-crypto-js
Reinstall clean dependencies: rm -rf node_modules && npm install
Restart OpenClaw: openclaw daemon restart
Review recent outbound connections in system logs

Reference

Advisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80

安全使用建议

This skill is coherent for a local compromise check. Before running: (1) run as an account with appropriate permissions (root for a full scan) or be prepared for many permission-denied messages; (2) treat any positive IOC as high-severity but verify results before running destructive cleanup commands—backup important data and exports of logs first; (3) the find / command can be slow and resource‑heavy—consider narrowing the search to likely locations if needed; (4) rotating credentials and taking the host offline are sensible next steps if confirmed; (5) if you want automated, non-destructive analysis, consider first copying suspected files to an isolated host for analysis or using specialized incident-response tools.

功能分析

Type: OpenClaw Skill Name: check-axios-malware Version: 1.0.0 The skill is a diagnostic tool designed to detect indicators of compromise (IOCs) related to a specific (hypothetical/future) axios supply-chain attack. It uses standard system utilities like 'find', 'ps', 'ss', and 'crontab' in SKILL.md to check for malicious directories, specific package versions, and suspicious network or process activity. No evidence of data exfiltration, obfuscation, or unauthorized execution was found.

能力评估

✓ Purpose & Capability

Name/description (scan local machine for axios/plain-crypto-js IOC) match the requested binaries and the commands in SKILL.md. Required tools (find, ps, ss, crontab, python3) are necessary for the provided checks; no unrelated credentials, binaries, or installation steps are requested.

✓ Instruction Scope

Instructions are limited to local discovery: searching filesystem for package dirs and package.json files, enumerating processes and established connections, and checking crontab/rc files. They do not instruct exfiltration or sending results to external endpoints. Note: some commands (find / ...) are broad and can be IO‑heavy; the incident response steps include destructive actions (rm -rf node_modules) and service restart which are expected for cleanup but should be run only after confirmation/backups.

✓ Install Mechanism

No install spec or downloaded artifacts — instruction-only skill. This minimizes risk from installation of third‑party code.

✓ Credentials

No environment variables or credentials are requested. The SKILL.md uses $HOME implicitly (to check an OpenClaw package path), which is reasonable and expected for a local scan.

✓ Persistence & Privilege

always:false and no instructions to persist itself or modify other skills/system-wide agent configuration. The skill recommends user actions (rotate credentials, remove files, restart daemon) but does not request elevated persistent privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install check-axios-malware
安装完成后，直接呼叫该 Skill 的名称或使用 /check-axios-malware 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: scan local machine for axios supply-chain attack IOCs ([email protected], axios 1.14.1/0.30.4, March 2026)

元数据

Slug check-axios-malware

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题