SlowMist flags malicious axios 1.14.1 and 0.30.4; warns OpenClaw users of npm install exposure

According to ME News, public threat intelligence as of March 31 (UTC+8) has confirmed axios@1.14.1 and axios@0.30.4 as malicious releases. Both versions were modified to include an extra dependency, plaincryptojs@4.2.1, which runs a cross-platform malicious payload through a postinstall script. SlowMist said the potential impact on OpenClaw depends on how it was installed: 1) Building from source: Not affected. The v2026.3.28 lockfile pins axios@1.13.5 and 1.13.6, which are not the flagged versions. 2) Installing via npm (npm install -g openclaw@2026.3.28): Prior exposure is possible. The dependency path is openclaw → @line/botsdk@10.6.0 → optionalDependencies → axios@^1.7.4. During the period the malicious packages were available, installs could have resolved to axios@1.14.1. 3) Reinstalling now: npm is currently resolving to axios@1.14.0. Even so, any environments installed during the attack window should be treated as potentially compromised and checked for indicators of compromise (IoCs). SlowMist also warned that the presence of a plaincryptojs directory should be treated as a high-risk execution artifact even if its package.json has been removed. For any host that ran npm install or npm install -g openclaw@2026.3.28 during the affected period, the firm recommends immediate credential rotation and host-level investigation. (Source: ODAILY)