{"id":48908570,"url":"https://github.com/linketh/check-axios-compromise","last_synced_at":"2026-04-16T22:03:43.905Z","repository":{"id":348341326,"uuid":"1197603558","full_name":"LinkeTh/check-axios-compromise","owner":"LinkeTh","description":"Linux check script for latest axios supply chain attack. ","archived":false,"fork":false,"pushed_at":"2026-03-31T18:12:06.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-31T20:18:57.877Z","etag":null,"topics":["axios","claude-code","npm","supply-chain"],"latest_commit_sha":null,"homepage":"https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LinkeTh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-31T18:06:09.000Z","updated_at":"2026-03-31T18:12:09.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/LinkeTh/check-axios-compromise","commit_stats":null,"previous_names":["linketh/check-axios-compromise"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/LinkeTh/check-axios-compromise","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LinkeTh%2Fcheck-axios-compromise","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LinkeTh%2Fcheck-axios-compromise/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LinkeTh%2Fcheck-axios-compromise/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LinkeTh%2Fcheck-axios-compromise/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LinkeTh","download_url":"https://codeload.github.com/LinkeTh/check-axios-compromise/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LinkeTh%2Fcheck-axios-compromise/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31905895,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-16T18:22:33.417Z","status":"ssl_error","status_checked_at":"2026-04-16T18:21:47.142Z","response_time":69,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["axios","claude-code","npm","supply-chain"],"created_at":"2026-04-16T22:03:22.014Z","updated_at":"2026-04-16T22:03:43.874Z","avatar_url":"https://github.com/LinkeTh.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# check-axios-compromise\n\nA fast local scanner for the March 31, 2026 Axios npm supply-chain incident.\n\nIt scans lockfiles, optionally checks `node_modules`, and runs Linux IOC checks for known indicators tied to the malicious Axios releases.\n\n## What this script checks\n\n### Lockfiles\n\n- `package-lock.json`\n- `yarn.lock`\n- `bun.lock`\n- `bun.lockb` (best-effort text parsing)\n\nThe script looks for:\n\n- `axios@1.14.1` (compromised)\n- `axios@0.30.4` (compromised)\n- `plain-crypto-js@4.2.1` (malicious dependency)\n- `@qqbrowser/openclaw-qbot@0.0.130` (related compromised package)\n- `@shadanai/openclaw@2026.3.31-1` and `@shadanai/openclaw@2026.3.31-2` (related compromised versions)\n\n### `node_modules` artifacts (optional, enabled by default)\n\nScans discovered `node_modules` directories for installed copies of:\n\n- `axios`\n- `plain-crypto-js`\n- `@qqbrowser/openclaw-qbot`\n- `@shadanai/openclaw`\n\n### Linux IOC checks (optional, enabled by default)\n\n- File IOC: `/tmp/ld.py`\n- Process matches containing `ld.py`, `sfrclak.com`, or `142.11.206.73`\n- Active network connections to `142.11.206.73`\n\n## Requirements\n\n- `bash`\n- `python3`\n\nOptional (used automatically for speed):\n\n- `fd` or `fdfind`\n- `rg` (ripgrep)\n\n## Usage\n\n```bash\n./check-axios-compromise.sh [options]\n```\n\nOptions:\n\n- `-r, --root \u003cpath\u003e`: root directory to scan (default: `$HOME`)\n- `--skip-node-modules`: skip installed package checks\n- `--skip-ioc`: skip IOC checks\n- `--lockfiles-only`: scan only lockfiles\n- `-h, --help`: show help\n\n## Examples\n\nScan your full home directory:\n\n```bash\n./check-axios-compromise.sh\n```\n\nScan a specific directory:\n\n```bash\n./check-axios-compromise.sh --root \"/path/to/projects\"\n```\n\nOnly check lockfiles:\n\n```bash\n./check-axios-compromise.sh --lockfiles-only\n```\n\n## Exit codes\n\n- `0`: no critical findings (warnings may still exist)\n- `1`: critical finding detected (potential exposure)\n- `2`: invalid usage or missing required dependency\n\n## Output interpretation\n\n- `[ALERT]`: critical hit (treat as potential compromise)\n- `[WARN]`: non-critical but suspicious or incomplete data\n- `[OK]`: check passed\n- `[INFO]`: progress information\n\nAt the end, the script prints a summary with lockfile count, critical findings, and warnings.\n\n## Limitations\n\n- Detects known indicators only; it is not a full malware forensics tool.\n- IOC checks are Linux-specific.\n- `bun.lockb` is parsed as text best-effort and may miss edge cases.\n- Deep historical compromise analysis still requires CI logs, endpoint telemetry, and credential audit.\n\n## If you get a critical finding\n\nRecommended immediate actions:\n\n1. Isolate affected machine(s).\n2. Revoke and rotate credentials used on those hosts.\n3. Review CI/build logs for `2026-03-31 00:21-03:29 UTC`.\n4. Rebuild affected environments from known-clean images.\n\n## Reference\n\n- Snyk write-up: `https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinketh%2Fcheck-axios-compromise","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flinketh%2Fcheck-axios-compromise","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinketh%2Fcheck-axios-compromise/lists"}