Bash script to check if you were hit by the axios supply chain attack

github.com · skaul · 12 days ago · view on HN · tool
quality 7/10 · good
0 net
Tags
supply-chain
# is-my-axios-safe A simple bash script to detect compromised `axios` npm packages from the March 2026 supply chain attack on your local machine. See https://socket.dev/blog/axios-npm-package-compromised for an ongoing writeup. In March 2026, malicious versions of axios ([1.14.1](https://www.npmjs.com/package/axios/v/1.14.1) and [0.30.4](https://www.npmjs.com/package/axios/v/0.30.4)) were published to npm containing a postinstall script that installed a Remote Access Trojan (RAT) dropper via a hidden dependency (`plain-crypto-js`). This script checks your projects and system for signs of the compromise. **WARNING**: only tested on macOS, would appreciate help testing on other OSes. ## What it checks | Detection Layer | What It Looks For | |---|---| | **node_modules** | Installed [email protected] or [email protected], presence of `plain-crypto-js` | | **Lockfiles** | Compromised versions or `plain-crypto-js` in package-lock.json, yarn.lock, pnpm-lock.yaml | | **npm cache** | Cached tarballs matching known-bad SHA1 hashes | | **RAT artifacts** | Platform-specific payload files dropped by the malware | ### RAT artifact locations | Platform | Path | |---|---| | macOS | `/Library/Caches/com.apple.act.mond` | | Linux | `/tmp/ld.py` | | Windows | `%PROGRAMDATA%\wt.exe`, `%TEMP%\6202033.vbs`, `%TEMP%\6202033.ps1` | ## Requirements - Bash 3.2+ (works with macOS default /bin/bash) - Standard Unix tools (find, grep, awk, sed) - jq (optional; used for JSON parsing when available, falls back to grep/awk) ## Usage ```bash # Scan the current directory ./check-axios.sh # Scan specific directories ./check-axios.sh ./my-project ./another-project ``` ## Output The output distinguishes between two severity levels: - **WARN** -- A compromised axios version was found, but no evidence the dropper actually executed. - **CRITICAL** -- The dropper executed. Evidence includes the `plain-crypto-js` package or RAT payload files on disk. The output includes remediation steps. ## Running tests ```bash bash test-check-axios.sh ``` The test suite creates temporary directory fixtures, runs the detector against them, and verifies exit codes and output messages. It covers `node_modules` detection, all lockfile formats, false-positive regressions, and CLI argument handling. ## If you're compromised If the script reports CRITICAL findings: 1. Isolate the machine from the network 2. Rotate all credentials, tokens, and keys accessible from the machine 3. Check for RAT payloads at the paths listed above 4. Audit outbound connections to `sfrclak.com` / `142.11.206.73` 5. Remove compromised packages and clear npm cache (`npm cache clean --force`) 6. Consider reimaging the machine
← Back to stories