Axios Supply Chain Attack 2026: OpenClaw Impact, Affected Versions & Urgent Fixes

Key Takeaways

Axios supply chain attack struck on March 31, 2026: malicious versions 1.14.1 and 0.30.4 released after maintainer account hijack.
OpenClaw severely impacted: forks @shadanai/openclaw (versions 2026.3.28-2, 2026.3.28-3, 2026.3.31-1, 2026.3.31-2) and @qqbrowser/openclaw-qbot (0.0.130) bundled the malware deep in dependencies.
Malware mechanics: hidden dependency [email protected] runs postinstall script, deploys cross-platform RAT (Windows/macOS/Linux), connects to C2, then self-deletes to hide traces.
Scale: Axios sees hundreds of millions of weekly downloads; OpenClaw users in AI/self-hosted environments face credential theft and persistent access risks.
Immediate action: audit lockfiles, downgrade to clean versions, rebuild environments, and rotate all secrets.

The Axios Supply Chain Attack Explained

Analysis shows the attack exploited trust in the npm ecosystem. The primary maintainer’s npm account was compromised, the recovery email switched to an anonymous ProtonMail address, and GitHub Actions CI/CD was bypassed to publish the tainted packages manually.

Core Axios source code remained untouched. Instead, the attacker injected a single hidden dependency — [email protected] — designed to masquerade as the legitimate crypto-js library. This technique allowed the payload to ride along with any project using caret ranges such as ^1.14.0 or ^0.30.0.

The attack highlights a growing trend: supply-chain compromises now target popular transitive dependencies rather than the main library itself, maximizing blast radius while minimizing detection.

Technical Deep Dive: How the Malicious Payload Works

Security researchers dissected the package and found a multi-stage infection chain:

On npm install or npm update, the postinstall hook in [email protected] silently executes setup.js.
The script downloads a second-stage remote access trojan (RAT) compiled for Windows, macOS, and Linux.
The RAT phones home to a command-and-control server, exfiltrates credentials, and establishes persistence.
To evade detection, it replaces its own package.json with a clean version and removes temporary files.

This design ensures the malware survives casual audits and works across development machines, CI runners, and production servers. Compared to earlier npm attacks (such as ua-parser-js or event-stream), the 2026 Axios incident adds cross-platform RAT capabilities and self-cleaning — raising the bar for stealth.

OpenClaw Exposure: Specific Versions and Impact

OpenClaw, a widely used self-hosted AI gateway and assistant framework, was hit through both direct and vendored dependencies.

Affected packages include:

@shadanai/openclaw (fork of the original repository): versions 2026.3.28-2, 2026.3.28-3, 2026.3.31-1, and 2026.3.31-2 — the malicious plain-crypto-js was deeply embedded in the vendored dependency tree.
@qqbrowser/openclaw-qbot: version 0.0.130 — explicitly shipped the poisoned [email protected] inside its node_modules.

Even projects that never listed axios as a direct dependency could be compromised if they pulled these OpenClaw forks. The original OpenClaw mainline repository stayed clean, but forks and community packages amplified the reach.

Who Is at Risk: Edge Cases and Real-World Scenarios

Any environment that ran npm install, npm update, or npm ci between March 31 and early April 2026 is potentially exposed. High-risk scenarios include:

CI/CD pipelines with automatic dependency updates (Renovate, Dependabot).
Dockerfiles or container builds triggered on the attack date.
Monorepos and Yarn/PNPM workspaces where lockfiles hide transitive changes.
Development machines and shared servers used for OpenClaw AI deployments.

Community feedback suggests thousands of OpenClaw instances in self-hosted AI setups were running vulnerable versions, making this one of the largest indirect impacts of the Axios incident.

Step-by-Step Mitigation: Clean Up Immediately

Follow this exact checklist:

Audit dependencies in your OpenClaw or related project:

npm list axios
npm list @shadanai/openclaw
npm list @qqbrowser/openclaw-qbot
grep -E "axios@1\.14\.1|axios@0\.30\.4|plain-crypto-js" package-lock.json

Remove compromised artifacts:

rm -rf node_modules package-lock.json yarn.lock pnpm-lock.yaml

Pin clean versions in package.json:
```
"axios": "^1.14.0"
```
(or the latest verified safe release published after the incident).
Reinstall and verify:
```
npm install
npm audit
```
Assume breach: rotate all API keys, SSH credentials, cloud tokens, and OpenClaw configuration secrets. Rebuild Docker images and redeploy.

For OpenClaw forks, switch back to the latest clean mainline or verified community patch.

Advanced Prevention Strategies for NPM Ecosystems

To harden against future attacks:

Lock exact versions and commit lockfiles — never rely on floating ranges in production.
Integrate automated scanners (Socket Security, Snyk, npm audit, StepSecurity) into every CI run.
Enable package provenance and signature verification on npm.
Use isolated build environments (e.g., GitHub Actions with ephemeral runners).
Monitor dependency changes with tools that alert on maintainer email switches or new postinstall scripts.

These measures have repeatedly proven effective in containing similar incidents and should become standard practice for any OpenClaw or Node.js deployment.

Conclusion

The March 31, 2026 Axios supply chain attack demonstrates how quickly a single maintainer compromise can ripple through the entire open-source ecosystem — including popular AI tools like OpenClaw. With clear evidence of affected versions and a sophisticated RAT payload, the window for damage is narrow but the consequences are severe.

Audit your projects today using the commands and steps above. Update to clean versions, rotate credentials, and adopt stricter dependency hygiene. The OpenClaw and Axios communities have already released guidance; staying ahead of the next attack starts with immediate verification and long-term vigilance.