慢雾提醒：axios 恶意版本 1.14.1 / 0.30.4 存在安全风险，建议排查并轮换凭据

GateNews

2026-03-31 08:01:45

Gate News 消息，3 月 31 日，慢雾安全团队发布预警，截至 2026 年 3 月 31 日，公开情报显示 axios@1.14.1 与 axios@0.30.4 已被确认为恶意版本。两者均被植入额外依赖 plain-crypto-js@4.2.1，该依赖可通过 postinstall 脚本投递跨平台恶意载荷。

该事件对 OpenClaw 的影响需分场景判断：1）源码构建场景不受影响，v2026.3.28 锁文件实际锁定的是 axios@1.13.5 / 1.13.6，未命中恶意版本；2）npm install -g openclaw@2026.3.28 场景存在历史暴露风险，原因是依赖链中存在 openclaw -> @line/bot-sdk@10.6.0 -> optionalDependencies.axios@^1.7.4，在恶意版本仍在线的时间窗口内，可能被解析到 axios@1.14.1；3）当前重新安装结果显示，npm 已回退解析到 axios@1.14.0，但在攻击窗口内安装过的环境，仍建议按受影响场景处理并排查 IoC。

慢雾提示，若发现 plain-crypto-js 目录存在，即使其中 package.json 已被清理，也应视为高风险执行痕迹。对攻击窗口内执行过 npm install 或 npm install -g openclaw@2026.3.28 的主机，建议立即轮换凭据并开展主机侧排查。

View Source

Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to Disclaimer.

Opmerking

0/400

Geen opmerkingen