Skip to content

Instantly share code, notes, and snippets.

@tuannvm

tuannvm/axios-scan.sh

Created March 31, 2026 13:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tuannvm/363ec79888270d00e041c0037baf47d9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tuannvm/363ec79888270d00e041c0037baf47d9 to your computer and use it in GitHub Desktop.
Download ZIP
Axios npm compromise scanner - one-liner bash command to detect malicious versions 1.14.1, 0.30.4, plain-crypto-js trojan, and C2 callbacks
Raw
axios-scan.sh
#!/bin/bash
echo "=== Axios Compromise Scanner ===" && echo "Malicious: 1.14.1, 0.30.4 | Attack: 2026-03-31" && echo && find ~ -path "*/node_modules/axios/package.json" -type f 2>/dev/null | while read p; do v=$(jq -r '.version' "$p" 2>/dev/null || grep -o '"version"[[:space:]]*:[[:space:]]*"[^"]*"' "$p" 2>/dev/null | head -1 | cut -d'"' -f4); case "$v" in 1.14.1|0.30.4) echo "🚨 MALICIOUS: $p β†’ $v" ;; *) echo "βœ“ Safe: $p β†’ $v" ;; esac; done && echo && if find ~ -path "*/node_modules/plain-crypto-js" -type d 2>/dev/null | head -1 | grep -q .; then echo "🚨 TROJAN: plain-crypto-js present"; else echo "βœ“ No trojan package"; fi && echo && if find ~ -path "*/node_modules/axios/*" -type f -name "*.js" -exec grep -l "sfrclak\.com" {} \; 2>/dev/null | head -1 | grep -q .; then echo "🚨 C2 CALLBACK: sfrclak.com found"; else echo "βœ“ No C2 callbacks"; fi
Raw
axios-scanner.md

Axios NPM Compromise Scanner

Quick Start

One-liner (copy & paste)

echo "=== Axios Compromise Scanner ===" && echo "Malicious: 1.14.1, 0.30.4 | Attack: 2026-03-31" && echo && find ~ -path "*/node_modules/axios/package.json" -type f 2>/dev/null | while read p; do v=$(jq -r '.version' "$p" 2>/dev/null || grep -o '"version"[[:space:]]*:[[:space:]]*"[^"]*"' "$p" 2>/dev/null | head -1 | cut -d'"' -f4); case "$v" in 1.14.1|0.30.4) echo "🚨 MALICIOUS: $p β†’ $v" ;; *) echo "βœ“ Safe: $p β†’ $v" ;; esac; done && echo && if find ~ -path "*/node_modules/plain-crypto-js" -type d 2>/dev/null | head -1 | grep -q .; then echo "🚨 TROJAN: plain-crypto-js present"; else echo "βœ“ No trojan package"; fi && echo && if find ~ -path "*/node_modules/axios/*" -type f -name "*.js" -exec grep -l "sfrclak\.com" {} \; 2>/dev/null | head -1 | grep -q .; then echo "🚨 C2 CALLBACK: sfrclak.com found"; else echo "βœ“ No C2 callbacks"; fi

curl | bash (easiest)

curl -sL https://gist.githubusercontent.com/tuannvm/fe9214691b5cc88996c3f560eea31c70/raw/axios-scan.sh | bash

What it checks

Check Description
Axios versions Scans all node_modules/axios/package.json for versions
Malicious detection Flags versions 1.14.1 and 0.30.4 (published 2026-03-31)
Trojan package Searches for plain-crypto-js directory
C2 callbacks Greps for sfrclak.com URLs in axios source

If malicious version found

  1. Isolate system - Disconnect from network
  2. Delete artifacts: 
    rm -rf node_modules package-lock.json
find . -name "plain-crypto-js" -type d -exec rm -rf {} +
  3. Pin safe version - Add to package.json: 
    "overrides": { "axios": "1.13.6" }
  4. Reinstall: npm ci
  5. Rotate secrets - Treat as full compromise, rotate all credentials

Prevention

Disable postinstall scripts globally

npm config set ignore-scripts true --global

Per-project (add to .npmrc)

ignore-scripts=true

Details

  • Attack: npm axios account hijack, malicious versions with RAT
  • Timeline: 2026-03-31, ~3 hours before detection
  • Vector: Hidden dependency plain-crypto-js@4.2.1 with postinstall
  • C2 server: sfrclak.com:8000
  • Source: StepSecurity Blog

Compatibility

  • βœ… Linux (GNU grep, bash)
  • βœ… macOS (BSD grep, bash)
  • βœ… Works without jq (falls back to grep)
  • βœ… No external dependencies required
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment