PANews reported on March 31 that SlowMist issued another security alert, urging users to check for the risks associated with malicious versions of axios 1.14.1/0.30.4 and the global installation history of OpenClaw npm. axios@1.14.1 and axios@0.30.4 have been confirmed as malicious versions, both of which have been injected with the dependency plain-crypto-js@4.2.1, delivering cross-platform malicious payloads via a postinstall script.
The impact of OpenClaw depends on the scenario: Source code builds are unaffected because the locked version is 1.13.5/1.13.6; however, users who installed it via `npm install -g openclaw@2026.3.28` face historical exposure risks because the dependency chain contains `optionalDependencies.axios@^1.7.4`, which could be resolved to `axios@1.14.1` while the malicious version was still online. Currently, npm has reverted to resolving to `axios@1.14.0`, but environments that were installed within the attack window are still recommended for investigation.
SlowMist provides troubleshooting commands and IoC paths for various platforms. If the plain-crypto-js directory is found, even if package.json has been cleaned up, it should be considered a high-risk execution trace. It is recommended that affected hosts immediately rotate their credentials and conduct host-side investigations.
