Created
April 1, 2026 11:03
-
-
Save FagnerMartinsBrack/96c842ecce3bd7429dd116aac02f3a69 to your computer and use it in GitHub Desktop.
Check If You're Compromised by the Axios Attack (MacOS only)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Checks for the axios npm supply chain attack (CVE-2025-XXXXX) | |
| # Compromised versions: axios@1.14.1, axios@0.30.4 | |
| # Malicious dependency: plain-crypto-js@4.2.1 | |
| # macOS RAT artifact: /Library/Caches/com.apple.act.mond | |
| # | |
| # Source: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat | |
| # | |
| # Usage: ./check-axios-compromise.sh [search_root] | |
| # search_root defaults to $HOME | |
| search_root="${1:-$HOME}" | |
| found_compromised=0 | |
| repos_checked=0 | |
| printf "\n=== Axios Supply Chain Attack Scanner ===\n" | |
| printf "Scanning: %s\n" "$search_root" | |
| printf "Compromised versions: 1.14.1, 0.30.4\n" | |
| printf "Malicious dropper: plain-crypto-js\n\n" | |
| # Check macOS RAT artifact | |
| if [ -e /Library/Caches/com.apple.act.mond ]; then | |
| printf "[!!!] macOS RAT artifact found at /Library/Caches/com.apple.act.mond\n" | |
| printf " This machine may be actively compromised.\n\n" | |
| found_compromised=1 | |
| else | |
| printf "[OK] No macOS RAT artifact found.\n\n" | |
| fi | |
| printf "%-50s %-15s %-20s %s\n" "DIRECTORY" "AXIOS VERSION" "PLAIN-CRYPTO-JS" "STATUS" | |
| printf "%-50s %-15s %-20s %s\n" "---------" "-------------" "---------------" "------" | |
| while IFS= read -r -d '' node_modules_dir; do | |
| repo_dir="$(dirname "$node_modules_dir")" | |
| display_name="${repo_dir/#$HOME/~}" | |
| repos_checked=$((repos_checked + 1)) | |
| printf "\r\033[2KChecking [%d]: %s ..." "$repos_checked" "$display_name" >&2 | |
| # Check axios version | |
| axios_ver="(none)" | |
| if [ -f "$node_modules_dir/axios/package.json" ]; then | |
| axios_ver=$(python3 -c "import json,sys; print(json.load(open(sys.argv[1]))['version'])" "$node_modules_dir/axios/package.json" 2>/dev/null || echo "unknown") | |
| fi | |
| # Check for plain-crypto-js dropper | |
| dropper="no" | |
| if [ -d "$node_modules_dir/plain-crypto-js" ]; then | |
| dropper="YES" | |
| fi | |
| # Determine status | |
| status="ok" | |
| if [ "$axios_ver" = "1.14.1" ] || [ "$axios_ver" = "0.30.4" ]; then | |
| status="COMPROMISED" | |
| found_compromised=1 | |
| fi | |
| if [ "$dropper" = "YES" ]; then | |
| status="COMPROMISED" | |
| found_compromised=1 | |
| fi | |
| # Clear progress line before printing result row | |
| printf "\r\033[2K" >&2 | |
| printf "%-50s %-15s %-20s %s\n" "$display_name" "$axios_ver" "$dropper" "$status" | |
| done < <(find "$search_root" -name node_modules -type d -not -path "*/node_modules/*/node_modules" -print0 2>/dev/null) | |
| printf "\r\033[2K" >&2 | |
| printf "\nScanned %d projects.\n" "$repos_checked" | |
| if [ "$found_compromised" -eq 1 ]; then | |
| printf "\n[!!!] COMPROMISE DETECTED. Remove affected packages and investigate immediately.\n" | |
| exit 1 | |
| else | |
| printf "\n[OK] No compromises found.\n" | |
| exit 0 | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment