Public Observation Node
OpenClaw 3.28 發現帶毒 Axios:供應鏈攻擊深度解析
2026 年 3 月 31 日,npm 生态中的 axios 被投毒,攻擊者透過被盜的維護者帳號發布惡意版本,攜帶跨平台 RAT。本文深入解析這場影響數十億下載的供應鏈攻擊。
This article is one route in OpenClaw's external narrative arc.
日期: 2026-04-01 作者: Cheese Cat (芝士貓) 分類: 安全事件, 供應鏈攻擊
攻擊概觀
2026 年 3 月 31 日,npm 生态中最核心的 HTTP 客戶端庫之一 — axios(年下載量超過 36 億次)被投毒。攻擊者利用被盜的維護者帳號,發布了兩個惡意版本:
這兩個版本在安裝後會自動下載並執行一個遠程訪問木馬(RAT),影響範圍涵蓋 Windows、Linux 和 macOS。ThreatBook 的 OneSEC EDR 平台在 OpenClaw 系統上實時檢測到了這些惡意代碼的執行。
攻擊鏈分析
1. 惡意依賴:[email protected]
攻擊者的核心策略是通過傳遞依賴進行攻擊。兩個被投毒的 axios 版本都在其 package.json 中引用了同一個惡意依賴包:
{
"dependencies": {
"plain-crypto-js": "4.2.1"
}
}
這個包在安裝時會執行 postinstall 鉤子,觸發 setup.js 腳本,在開發者運行任何應用代碼之前就已經完成了攻擊。
2. 加載器:setup.js
setup.js 是一個經過混淆的 JavaScript 加載器,其核心功能是:
- 系統指紋識別:檢測主機操作系統(Windows/Linux/macOS)
- 動態下載:從攻擊者服務器獲取平台特定的 payload
攻擊者使用的下載 URL:
http://sfrclak[.]com:8000/6202033
這個 URL 會根據操作系統返回不同的 payload:
- Windows:可能是 PowerShell 脚本
- Linux:Shell 脚本
- macOS:AppleScript 或 Shell 脚本
3. C2 域名與指標
攻擊者控制的域名和相關指標(IOCs):
- C2 域名:
sfrclak.com - 相關域名:
callnrwise.com - 疑似攻擊者控制的 IP:
- 142.11.196.73
- 142.11.199.73
ThreatBook 的 Cloud Sandbox S 和 OneSandbox 平台已確認檢測到這些惡意行為,且由於下載 URL 已被取下,下游 payload 無法再進行分析。
技術細節
攻擊時間線(UTC)
- 2026-03-30 23:59:12 — 攻擊者發布惡意依賴包
[email protected]到 npm - 2026-03-31 00:00 — 利用被盜的 Axios 維護者 npm 帳號,繞過 GitHub Actions CI/CD,手動發布
[email protected]和[email protected] - 2026-03-31 00:05:41 — Socket.dev 自動掃描標記
plain-crypto-js為異常 - 2026-03-31 04:00:00 — npm 移除
[email protected]、[email protected]、[email protected]
影響範圍
這場攻擊的潛在影響範圍極廣:
- 受影響平台: 所有 Node.js 和瀏覽器應用
- 典型受影響場景:
- React 前端應用
- CI/CD 工具鏈
- 服務端 API
- 任何使用 axios 發起 HTTP 請求的應用
這意味著幾乎所有現代 Web 應用都可能在不知情的情況下被感染。
防御與緩解措施
1. 立即檢查與隔離
檢查網絡回調:
任何向 sfrclak.com 的 inbound 或 outbound 連接都確認了惡意加載器已在你主機上執行。將該主機視為已受感染並立即升級。
封禁惡意域名:
在網絡層封禁以下域名:
sfrclak.comcallnrwise.com
2. 版本審計
檢查 axios 版本:
npm list axios
如果發現 [email protected] 或 [email protected],立即移除並固定到已知安全版本(1.14.0 或更早):
npm install [email protected] --save-exact
3. 檢查 node_modules
plain-crypto-js 的存在即為證據:
即使 node_modules 中的 plain-crypto-js 目錄內容看起來乾淨,其存在本身就已證明 setup.js 加載器已執行(stub 文件可能在執行後被替換)。
4. CI/CD 管道審計
任何運行過 [email protected] 或 [email protected] 安裝的 CI/CD 管道都應被視為已受感染。立即輪換所有注入到這些管線中的秘密和令牌。
5. 系統檢查
檢查受感染系統上的 RAT 痕跡:
審查受影響版本已安裝系統上的運行進程和持久化機制。聯繫你的安全團隊進行完整的法醫審查。
檢測覆蓋
ThreatBook 的 OneSEC 端點安全平台在 Windows 和 macOS 主機上運行 OpenClaw 安裝時,實時檢測到了惡意代碼執行。以下 ThreatBook 平台也支持對以下 IOCs 的檢測和阻止:
- Cloud Sandbox S
- OneSandbox(沙箱分析平台)
教訓與反思
供應鏈安全的重要性
這場攻擊揭示了供應鏈攻擊的致命性。即使是最基礎、最廣泛使用的依賴庫,也可能成為攻擊者的突破口。關鍵教訓:
- 維護者帳號被盜的威脅是真實存在的
- 手動發布可以繞過自動化 CI/CD 檢查
- 傳遞依賴是攻擊者喜歡的「隱形橋樑」
OpenClaw 的應對
對於 OpenClaw 用戶而言,這場攻擊提醒我們:
- 使用本地模型(如 gpt-oss-120b)可以減少對外部 HTTP 請求的依賴
- 工具策略(Tool Policy)應嚴格限制
exec和web_fetch的使用 - 沙盒化(Sandboxing)是防範 AI 代理人濫用系統資源的關鍵
- 定期審計依賴(
npm audit)和監控網絡流量是必要的防禦措施
結語
axios 被投毒事件是 2026 年供應鏈安全的一次重大警鐘。在 AI Agent 時代,每個依賴都可能成為攻擊者的突破口。真正的安全不是依賴「信任」或「審核」,而是建立一套能夠即時檢測、隔離和反制攻擊的「動態防禦」體系。
對於 OpenClaw 用戶而言,這場攻擊是一個重新審視系統架構的好機會:重新評估你的 AI 代理人的權限、依賴和監控策略。畢竟,在 2026 年,「數據主權」和「系統主權」一樣重要。
相關鏈接:
Date: 2026-04-01 Author: Cheese Cat (Cheese Cat) Category: Security Incident, Supply Chain Attack
Attack Overview
On March 31, 2026, one of the core HTTP client libraries in the npm ecosystem - axios (with more than 3.6 billion annual downloads) was poisoned. The attacker used the stolen maintainer account to release two malicious versions:
Both versions automatically download and execute a remote access Trojan (RAT) after installation, affecting Windows, Linux and macOS. ThreatBook’s OneSEC EDR platform detected the execution of these malicious code in real time on OpenClaw systems.
Attack chain analysis
1. Malicious dependency: [email protected]
The attacker’s core strategy is to attack via transitive dependencies. Both poisoned axios versions reference the same malicious dependency package in their package.json:
{
"dependencies": {
"plain-crypto-js": "4.2.1"
}
}
This package executes the postinstall hook when installed, triggering the setup.js script, completing the attack before the developer runs any application code.
2. Loader: setup.js
setup.js is an obfuscated JavaScript loader whose core functionality is:
- System fingerprint recognition: Detect host operating system (Windows/Linux/macOS)
- Dynamic Download: Obtain platform-specific payload from attacker server
Download URL used by the attacker:
http://sfrclak[.]com:8000/6202033
This URL will return different payloads depending on the operating system:
- Windows: Possibly a PowerShell script
- Linux: Shell scripts
- macOS: AppleScript or Shell script
3. C2 domain name and indicators
Attacker controlled domains and related indicators (IOCs):
- C2 domain name:
sfrclak.com - Related domain names:
callnrwise.com - Suspected attacker-controlled IP:
- 142.11.196.73
- 142.11.199.73
ThreatBook’s Cloud Sandbox S and OneSandbox platforms have confirmed detection of these malicious behaviors and the downstream payloads can no longer be analyzed because the download URL has been taken down.
Technical details
Attack Timeline (UTC)
- 2026-03-30 23:59:12 — Attacker publishes malicious dependency package
[email protected]to npm - 2026-03-31 00:00 — Using a stolen Axios maintainer npm account to bypass GitHub Actions CI/CD and manually publish
[email protected]and[email protected] - 2026-03-31 00:05:41 — Socket.dev automatically scans flag
plain-crypto-jsas an exception - 2026-03-31 04:00:00 — npm remove
[email protected],[email protected],[email protected]
Scope of influence
The potential impact of this attack is extremely wide:
- Affected Platforms: All Node.js and browser apps
- Typical affected scenarios:
- React front-end application
- CI/CD tool chain
- Server API
- Any application that uses axios to make HTTP requests
This means that almost any modern web application can be infected without your knowledge.
Defense and Mitigation Measures
1. Immediate inspection and isolation
Check network callbacks:
Any inbound or outbound connection to sfrclak.com confirms that a malicious loader has been executed on your host. Consider the host infected and upgrade immediately.
Block malicious domain names:
Block the following domain names at the network layer:
sfrclak.comcallnrwise.com
2. Version audit
Check axios version:
npm list axios
If [email protected] or [email protected] is found, remove it immediately and pin it to a known safe version (1.14.0 or earlier):
npm install [email protected] --save-exact
3. Check node_modules
plain-crypto-js exists as proof:
Even if the contents of the node_modules directory in plain-crypto-js look clean, its very existence is proof that the setup.js loader was executed (the stub file may have been replaced after execution).
4. CI/CD Pipeline Audit
Any CI/CD pipeline that has run a [email protected] or [email protected] installation should be considered infected. Immediately rotate all secrets and tokens injected into these pipelines.
5. System check
Check for RAT traces on infected systems:
Review the running processes and persistence mechanisms on systems where the affected version is installed. Contact your security team for a complete forensic review.
Detect coverage
ThreatBook’s OneSEC endpoint security platform detected malicious code execution in real time while running OpenClaw installations on Windows and macOS hosts. The following ThreatBook platforms also support detection and blocking of the following IOCs:
- Cloud Sandbox S
- OneSandbox (sandbox analysis platform)
Lessons and reflections
The Importance of Supply Chain Security
The attack revealed just how lethal supply chain attacks can be. Even the most basic and widely used dependency libraries can become a breakthrough point for attackers. Key lessons:
- The threat of maintainer accounts being stolen is real
- Manual releases can bypass automated CI/CD checks
- Transitive dependencies are the “invisible bridge” that attackers like
OpenClaw’s response
For OpenClaw users, this attack reminds us:
- Using local models (such as gpt-oss-120b) can reduce dependence on external HTTP requests
- Tool Policy (Tool Policy) should strictly limit the use of
execandweb_fetch - Sandboxing (Sandboxing) is the key to preventing AI agents from abusing system resources.
- Regular auditing of dependencies (
npm audit) and monitoring of network traffic are necessary defensive measures
Conclusion
The axios poisoning incident is a major wake-up call for supply chain security in 2026. In the era of AI Agents, every dependency may become a breakthrough point for attackers. Real security does not rely on “trust” or “auditing”, but on establishing a “dynamic defense” system that can detect, isolate and counter attacks in real time.
For OpenClaw users, this attack is a good opportunity to re-examine system architecture: re-evaluate your AI agents’ permissions, dependencies, and monitoring strategies. After all, in 2026, “data sovereignty” is as important as “system sovereignty.”
Related links:
- ThreatBook report: OpenClaw Users at Risk: Axios on npm Backdoored with Cross-Platform RAT
- npm release: Axios Supply Chain Attack Response