SlowMist: Be aware of the potential risks associated with malicious axios versions 1.14.1/0.30.4 and OpenClaw npm global installation history.

As of March 31, 2026, publicly available intelligence indicates that [email protected] and [email protected] have been confirmed as malicious versions. Both are injected with an additional dependency, [email protected], which can deliver cross-platform malicious payloads via a postinstall script. The impact of this event on OpenClaw needs to be assessed on a scenario-by-scenario basis: 1) Source code build scenario: Unaffected. The v2026.3.28 lock file actually locks [email protected] / 1.13.6, and the malicious version is not detected. 2) npm install -g [email protected] scenario: There is a historical exposure risk because the dependency chain contains: openclaw -> @line/[email protected] -> optionalDependencies.axios@^1.7.4. During the time window when the malicious version is still online, it may be resolved to [email protected]. 3) Current reinstallation result: npm has reverted to resolving to [email protected], but for environments that were installed within the attack window, it is still recommended to handle them as affected scenarios and check the IoC. In addition, SlowMist suggests that if the plain-crypto-js directory is found, even if the package.json file has been cleaned up, it should be considered a high-risk execution trace. For hosts that executed npm install or npm install -g [email protected] within the attack window, it is recommended to immediately rotate credentials and conduct host-side investigations.