🚨 URGENT: Axios npm Package Compromised — Supply Chain Attack Delivers Cross-Platform RAT

(March 31, 2026 — 00:21–03:29 UTC)

What happened?

Malicious versions axios@1.14.1 and axios@0.30.4 were published via a hijacked maintainer account. They silently installed a cross-platform RAT via a hidden dependency (plain-crypto-js@4.2.1) during npm install.

Who’s at risk?

• CI/CD pipelines that auto-install without pinning versions
• Developers who ran npm install or npm update between 00:21–03:29 UTC
• Projects using @qqbrowser/openclaw-qbot or @shadanai/openclaw

Check your lockfile:

grep -E "axios@(1\.14\.1|0\.30\.4)" package-lock.json yarn.lock

If affected — assume breach:

• Isolate systems
• Rotate ALL secrets (API keys, tokens, SSH keys)
• Rebuild from clean images — don’t clean in place
• Check for IOCs:
  • macOS: /Library/Caches/com.apple.act.mond
  • Windows: %PROGRAMDATA%\wt.exe
  • Linux: /tmp/ld.py
  • Network: sfrclak[.]com:8000

Prevent future attacks:

✅ Pin dependency versions

✅ Use npm ci in CI

✅ Commit lockfiles

✅ Consider --ignore-scripts in CI

✅ Use Snyk or similar to scan dependencies

🔗 Safe versions: Any axios version except 1.14.1 or 0.30.4