Created
March 31, 2026 13:10
-
-
Save tuannvm/bceae613979f7b91586c75262ca37b81 to your computer and use it in GitHub Desktop.
Axios npm compromise scanner - checks for malicious versions 1.14.1 and 0.30.4, plain-crypto-js trojan, and C2 callbacks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Axios NPM Compromise Scanner | |
| # Malicious versions: 1.14.1, 0.30.4 | Attack: March 31, 2026 | |
| # https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan | |
| ## One-liner (curl | bash) | |
| ```bash | |
| curl -sL https://gist.githubusercontent.com/tuannvm/bceae613979f7b91586c75262ca37b81/raw/axios-scan.sh | bash | |
| ``` | |
| ## Direct one-liner | |
| ```bash | |
| echo "=== Axios Scanner ==="&&find ~ -path "*/node_modules/axios/package.json" -type f 2>/dev/null|while read p;do v=$(jq -r .version "$p"2>/dev/null||grep -oP '"version":\s*"\K[^"]+'"$p"|head -1);case $v in 1.14.1|0.30.4)echo "π¨ MALICIOUS: $(dirname $p) β $v";;*)echo "β Safe: $(dirname $p) β $v";;esac;done&&echo&&find ~ -path "*/node_modules/plain-crypto-js" -type d 2>/dev/null|head -1|grep -q .&&echo "π¨ TROJAN FOUND"||echo "β No trojan"&&echo&&find ~ -path "*/node_modules/axios/*" -name "*.js" -exec grep -l "sfrclak\.com"{} \;2>/dev/null|head -1|grep -q .&&echo "π¨ C2 FOUND"||echo "β No C2" | |
| ``` | |
| ## If malicious version found | |
| 1. Delete `node_modules` and `package-lock.json` | |
| 2. Pin axios: `"overrides": { "axios": "1.13.6" }` | |
| 3. Reinstall: `npm ci` | |
| 4. Rotate all secrets (system compromised) | |
| ## Prevention | |
| ```bash | |
| npm config set ignore-scripts true --global | |
| echo "ignore-scripts=true" >> ~/.npmrc | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment