GitHub - ShivanKaul/is-my-axios-safe: Simple bash script to check if you have compromised axios packages on your local filesystem.

2 min read Original article ↗

A simple bash script to detect compromised axios npm packages from the March 2026 supply chain attack on your local machine. See https://socket.dev/blog/axios-npm-package-compromised for an ongoing writeup.

In March 2026, malicious versions of axios (1.14.1 and 0.30.4) were published to npm containing a postinstall script that installed a Remote Access Trojan (RAT) dropper via a hidden dependency (plain-crypto-js). This script checks your projects and system for signs of the compromise.

WARNING: only tested on macOS, would appreciate help testing on other OSes.

What it checks

Detection Layer What It Looks For
node_modules Installed axios@1.14.1 or axios@0.30.4, presence of plain-crypto-js
Lockfiles Compromised versions or plain-crypto-js in package-lock.json, yarn.lock, pnpm-lock.yaml
npm cache Cached tarballs matching known-bad SHA1 hashes
RAT artifacts Platform-specific payload files dropped by the malware

RAT artifact locations

Platform Path
macOS /Library/Caches/com.apple.act.mond
Linux /tmp/ld.py
Windows %PROGRAMDATA%\wt.exe, %TEMP%\6202033.vbs, %TEMP%\6202033.ps1

Requirements

  • Bash 3.2+ (works with macOS default /bin/bash)
  • Standard Unix tools (find, grep, awk, sed)
  • jq (optional; used for JSON parsing when available, falls back to grep/awk)

Usage

# Scan the current directory
./check-axios.sh

# Scan specific directories
./check-axios.sh ./my-project ./another-project

Output

The output distinguishes between two severity levels:

  • WARN -- A compromised axios version was found, but no evidence the dropper actually executed.
  • CRITICAL -- The dropper executed. Evidence includes the plain-crypto-js package or RAT payload files on disk. The output includes remediation steps.

Running tests

The test suite creates temporary directory fixtures, runs the detector against them, and verifies exit codes and output messages. It covers node_modules detection, all lockfile formats, false-positive regressions, and CLI argument handling.

If you're compromised

If the script reports CRITICAL findings:

  1. Isolate the machine from the network
  2. Rotate all credentials, tokens, and keys accessible from the machine
  3. Check for RAT payloads at the paths listed above
  4. Audit outbound connections to sfrclak.com / 142.11.206.73
  5. Remove compromised packages and clear npm cache (npm cache clean --force)
  6. Consider reimaging the machine