SlowMist (@SlowMist_Team) “🚨 SlowMist TI Alert 🚨 Please check for Malicious Versions of #axios 1.14.1 / 0” — TopicDigg

🚨 SlowMist TI Alert 🚨 Please check for Malicious Versions of #axios# 1.14.1 / 0.30.4 and Historical Exposure Risk from global #OpenClaw# npm Installation. As of March 31, 2026, open-source intelligence indicates that axios@1.14.1 and axios@0.30.4 have been confirmed as malicious versions. Both contain an extra dependency, plain-crypto-js@4.2.1, which can deliver cross-platform malicious payloads via its postinstall script. 1️⃣/ The impact on OpenClaw needs to be assessed per scenario: 1) Source Build Scenario: Not Affected 🤖 👉 Lock files in v2026.3.28 actually lock axios@1.13.5 / 1.13.6, which are not malicious versions. 2) npm install -g openclaw@2026.3.28 Scenario: Historical Exposure Risk Exists 🔍 👉 This is because the dependency chain includes: openclaw -> @line/bot-sdk@10.6.0 -> optionalDependencies.axios@^1.7.4 During the time window when the malicious versions were online, axios@1.14.1 could have been resolved. 3) Current Reinstallation Result: npm now resolves to axios@1.14.0 🧩 👉 However, environments that installed within the attack window should still be treated according to the affected scenario, and IoC checks are recommended. 2️⃣/ Reference for Checks ✅ Check for malicious versions and modules first: npm list axios 2>/dev/null | grep -E "1.14.1|0.30.4" grep -A1 '"axios"' package-lock.json 2>/dev/null | grep -E "1.14.1|0.30.4" ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED" ✅ If OpenClaw was installed globally, also check the global path: npm root -g npm ls -g openclaw axios plain-crypto-js @ line/bot-sdk --depth=4 3️⃣/ Known IoC Path Checks #macOS# ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "COMPROMISED" #Linux# ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED" #Windows# (cmd.exe) dir "%PROGRAMDATA%\wt.exe" 2>nul && echo COMPROMISED 4️⃣/ Additional Notes If the plain-crypto-js directory exists, even if its package.json has been cleaned, it should still be treated as a high-risk execution trace. ⚠️ For hosts that executed npm install or npm install -g openclaw@2026.3.28 within the attack window, immediate credential rotation and host-side investigation are recommended.