# 检测 Axios 恶意软件 扫描本地机器是否存在 2026 年 3 月恶意 axios 供应链攻击的入侵指标。 ## 使用时机 ✅ 在以下情况使用本技能: - “是否中了恶意axios” / “npm supply-chain attack check” - “check if plain-crypto-js is installed” - “OpenClaw 2026.3.28 安全排查” - “本机是否被供应链攻击感染” ❌ 在以下情况勿使用: - 远程主机扫描 → 使用 nmap / nuclei - 静态代码分析 → 使用 semgrep - 二进制恶意软件分析 → 使用 VirusTotal ## 背景 2026 年 3 月,axios 版本 1.14.1 与 0.30.4 通过依赖 plain-crypto-js@4.2.1 被植入木马。其恶意 postinstall 脚本投递了跨平台后门。OpenClaw 2026.3.28 在可选依赖中使用了 axios@^1.7.4,在攻击时间窗内存在风险。 ## IOC 概览 | 指标 | 安全 | 已感染 | |-----------|------|-------------| | plain-crypto-js 目录 | 不存在 | 存在 = 已感染 | | axios 版本 | 除 1.14.1 / 0.30.4 外的任何版本 | 1.14.1 或 0.30.4 | | 可疑进程 | 无 | 后台出现 curl/wget/nc | ## 命令 ### 1. 检查 plain-crypto-js(主要 IOC) ``bash find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null ` 任何结果 = 已感染。立即停止并轮换所有凭据。 ### 2. 扫描所有已安装的 axios 版本 `bash find / -path "*/node_modules/axios/package.json" 2>/dev/null | \ xargs -I{} python3 -c " import json d = json.load(open('{}')) v = d.get('version','?') flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe' print(flag, v, '{}') " 2>/dev/null ` ### 3. 检查 OpenClaw 版本 `bash python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found" ` 2026.3.28 = 风险版本(需通过上方 axios 版本检查确认)。 ### 4. 检查可疑后台进程 `bash ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep ` ### 5. 检查已建立的网络连接 `bash ss -tnp | grep ESTABLISHED ` ### 6. 检查持久化(crontab、启动文件) `bash crontab -l 2>/dev/null tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null ` ## 事件响应 若发现任何 IOC: 1. 轮换本机所有凭据(API 密钥、SSH 密钥、令牌) 2. 移除恶意包:rm -rf /path/to/plain-crypto-js 3. 重新安装干净依赖:rm -rf node_modules && npm install 4. 重启 OpenClaw:openclaw daemon restart` 5. 在系统日志中审查近期出站连接 ## 参考 公告:https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80
Scan the local machine for indicators of compromise from the malicious axios supply-chain attack (March 2026).
When to Use
✅ USE this skill when:
- "是否中了恶意axios" / "npm supply-chain attack check"
- "check if plain-crypto-js is installed"
- "OpenClaw 2026.3.28 安全排查"
- "本机是否被供应链攻击感染"
❌ DON'T use this skill when:
- Remote host scanning → use nmap / nuclei
- Static code analysis → use semgrep
- Binary malware analysis → use VirusTotal
Background
In March 2026, axios versions 1.14.1 and 0.30.4 were trojaned via plain-crypto-js@4.2.1 as a dependency. The malicious postinstall script delivered a cross-platform backdoor. OpenClaw 2026.3.28 used axios@^1.7.4 in optionalDependencies and was at risk during the attack window.
IOC Summary
| Indicator | Safe | Compromised |
|---|
plain-crypto-js dir | absent | present = infected |
| axios version | any except 1.14.1 / 0.30.4 | 1.14.1 or 0.30.4 |
| suspicious process | none | curl/wget/nc in background |
Commands
1. Check for plain-crypto-js (primary IOC)
find /home /root /usr/local /tmp -name "plain-crypto-js" -type d 2>/dev/null
Any result = compromised. Stop here and rotate all credentials.
2. Scan all installed axios versions
find / -path "*/node_modules/axios/package.json" 2>/dev/null | \
xargs -I{} python3 -c "
import json
d = json.load(open('{}'))
v = d.get('version','?')
flag = '❌ MALICIOUS' if v in ['1.14.1','0.30.4'] else '✅ safe'
print(flag, v, '{}')
" 2>/dev/null
3. Check OpenClaw version
python3 -c "import json; d=json.load(open('$HOME/.npm-global/lib/node_modules/openclaw/package.json')); print('openclaw', d['version'])" 2>/dev/null || echo "openclaw not found"
2026.3.28 = at-risk version (check axios version above to confirm).
4. Check for suspicious background processes
ps aux | grep -E "(curl|wget|nc |ncat|bash -i|/tmp/[^ ]+)" | grep -v grep
5. Check established network connections
ss -tnp | grep ESTABLISHED
6. Check for persistence (crontab, rc files)
crontab -l 2>/dev/null
tail -20 ~/.bashrc ~/.profile ~/.zshrc 2>/dev/null
Incident Response
If any IOC is found:
- Rotate all credentials on this machine (API keys, SSH keys, tokens)
- Remove the malicious package:
rm -rf /path/to/plain-crypto-js
- Reinstall clean dependencies:
rm -rf node_modules && npm install
- Restart OpenClaw:
openclaw daemon restart
- Review recent outbound connections in system logs
Reference
Advisory: https://www.panewslab.com/zh/articles/019d42da-491d-70b7-b00b-b14e59b97f80
by