Attack Chain

1. Attacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.
2. Unsuspecting developers or users download and install the compromised package from the npm registry.
3. During installation, the malicious package executes malicious code injected by the attacker.
4. The malicious code collects Bitwarden credentials and other sensitive information stored in the CLI’s configuration.
5. The compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.
6. Stolen credentials and sensitive information are exfiltrated to the attacker’s server.
7. The attacker uses the stolen credentials to access victim’s Bitwarden vaults or other systems.
8. The attacker may further escalate privileges and compromise additional systems within the victim’s environment using the stolen credentials.

Impact

Successful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.

Recommendation

• Monitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.
• Implement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.
• Deploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.
• Enforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.
• Regularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.

Attack Chain

1. Initial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.
2. Malicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a “preinstall” hook.
3. Execution of setup.mjs: During the npm install process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.
4. Bun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.
5. Execution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.
6. Credential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.
7. Data Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.
8. Propagation: The malware searches for commits containing the keyword “OhNoWhatsGoingOnWithGitHub,” decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.

Impact

Compromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.

Recommendation

• Rotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).
• Monitor npm install processes for unexpected execution of node setup.mjs (see Attack Chain).
• Implement the Sigma rule “Detect Suspicious Bun Process Execution” to identify potential execution of the Bun runtime from temporary directories.
• Monitor network connections for unusual processes connecting to api.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub (see IOCs) to detect potential C2 activity.
• Deploy the Sigma rule “Detect Github Commit By Claude Email” to identify commits authored with the email claude@users.noreply.github.com to detect malicious commits.

Attack Chain

1. The attacker compromises an NPM token, possibly exposed through CircleCI.
2. The attacker injects a malicious preinstall script into the targeted SAP NPM packages (mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite).
3. When a user installs the compromised package, the preinstall script executes.
4. The script fetches a Bun ZIP archive from a GitHub repository.
5. The script extracts the Bun archive and executes the included Bun binary.
6. The Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.
7. The stolen data is exfiltrated to public GitHub repositories with the description “A Mini Shai-Hulud has Appeared”.
8. The malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.

Impact

The Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.

Recommendation

• Organizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2) during the exposure window.
• Implement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description “A Mini Shai-Hulud has Appeared”.
• Monitor process execution for the execution of bun binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule Detect Bun Execution From NPM Package to detect this behavior.

Attack Chain

1. Initial Compromise: Threat actors compromise official SAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt). The exact method of initial compromise is currently unknown, but a misconfigured CircleCI job is suspected.
2. Package Modification: The compromised npm packages are modified to include a malicious ‘preinstall’ script.
3. Installation Trigger: When developers install the compromised packages using npm install, the ‘preinstall’ script executes automatically.
4. Payload Download: The ‘preinstall’ script launches a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub.
5. Execution of Information Stealer: The Bun runtime is used to execute a heavily obfuscated execution.js payload, which acts as an information stealer.
6. Credential Theft: The information stealer targets a wide variety of credentials, including npm and GitHub authentication tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes configurations and secrets, and CI/CD pipeline secrets and environment variables. It also attempts to extract secrets directly from the CI runner’s memory by scanning /proc/<pid>/maps and /proc/<pid>/mem.
7. Data Exfiltration: The stolen data is encrypted and uploaded to public GitHub repositories under the victim’s account. These repositories include the description “A Mini Shai-Hulud has Appeared”.
8. Lateral Movement: The malware searches GitHub commits for the string OhNoWhatsGoingOnWithGitHub:<base64>, decoding matching commit messages into GitHub tokens to gain further access and propagate to other packages and repositories, injecting the same malicious code.

Impact

This supply chain attack can lead to the theft of sensitive credentials, allowing attackers to gain unauthorized access to internal systems, cloud infrastructure, and source code repositories. The compromised credentials and secrets can be used for lateral movement within the victim’s network, data exfiltration, and further supply chain attacks. The use of stolen credentials to modify other packages increases the scope of the attack, potentially impacting a large number of developers and organizations using the compromised SAP packages.

Recommendation

• Monitor npm package installations for the presence of preinstall scripts executing unusual processes, such as the execution of setup.mjs or the download of the Bun JavaScript runtime from GitHub; implement the Detect Suspicious NPM Package Preinstall Script Sigma rule.
• Implement the Detect GitHub Repository Creation with "A Mini Shai-Hulud has Appeared" Description Sigma rule to detect exfiltration attempts via public GitHub repositories.
• Audit CI/CD pipeline configurations and restrict access to sensitive credentials and secrets to prevent exposure via misconfigured jobs; remediate the reported CircleCI misconfiguration.
• Monitor process memory for credential harvesting activity targeting Runner processes in CI/CD environments, specifically looking for reads of /proc/<pid>/maps and /proc/<pid>/mem as outlined in the overview.
• Deprecate and remove the compromised packages @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48) from your development and CI/CD environments.

Attack Chain

1. A developer installs a malicious npm package from the npm registry.
2. During installation, the package executes embedded code automatically.
3. The malware scans environment variables on the local system, looking for credentials and developer tokens.
4. The malware harvests browser credentials, crypto wallet data, and configuration files containing credentials.
5. The collected data is exfiltrated to an external server controlled by the attacker.
6. The malware attempts to locate an npm automation token on the infected machine.
7. If a token is found, the malware lists all packages to which the token grants “write” access.
8. The malware downloads the packages, injects the malicious script into them, and republishes them to the npm registry, spreading the infection to other projects.

Impact

Successful CanisterSprawl infections can lead to the exfiltration of sensitive data, including API keys, authentication tokens, and credentials, which can be used to gain unauthorized access to internal systems and services. The malware’s self-propagating nature allows it to spread through the npm ecosystem, potentially compromising numerous projects and developer accounts. If successful, attackers can inject malicious code into trusted packages, leading to supply chain attacks that affect a large number of downstream consumers. This can damage the reputation of affected developers and organizations, and result in significant financial losses.

Recommendation

• Remove any identified malicious packages immediately to prevent further data theft and propagation.
• Rotate potentially compromised credentials, tokens, and API keys that may have been exposed from affected hosts.
• Review environment variables and local credentials on developer machines for potential compromise.
• Audit account activity for unauthorized publishing or access to the npm registry, as highlighted in the Overview section.
• Deploy the Sigma rule to detect suspicious processes attempting to access sensitive files related to credentials.
• Enable file integrity monitoring for common credential storage locations and configuration files to detect unauthorized access and modifications.

Attack Chain

1. Attacker creates a malicious Git repository containing a symbolic link (e.g., config_file) pointing to a sensitive target file or directory (e.g., /tmp/fake_root/etc/passwd).
2. Attacker generates a malicious payload (e.g., payload.tar) containing a file with the same name as the symbolic link (e.g., config_file) and uploads both to their Git repository.
3. Victim clones the attacker’s Git repository using git clone. This action automatically restores the symbolic link on the victim’s system.
4. Victim runs an application that utilizes the vulnerable compressing library to extract the payload.tar archive.
5. The compressing library’s isPathWithinParent function resolves the path to the file being extracted. Due to lack of lstat checks, the symbolic link is not detected.
6. The fs.writeFile function follows the symlink, writing the contents of the file from payload.tar to the targeted sensitive file (e.g., /tmp/fake_root/etc/passwd).
7. Arbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.
8. Attacker achieves persistent access or control by overwriting critical system files.

Impact

Successful exploitation allows attackers to overwrite arbitrary files on the victim’s system, potentially leading to privilege escalation by modifying sensitive system files such as /etc/passwd. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the compressing library up to version v2.1.0 when extracting untrusted archives.

Recommendation

• Upgrade the compressing npm package to a patched version that includes proper symlink handling. This is the primary remediation.
• Inspect Git repositories for suspicious symbolic links before cloning. Use git ls-tree -r <commit-ish> | grep 120000 to search for symlinks in a repository.
• Implement runtime monitoring for file writes to unexpected locations based on the compressing library’s activity. Create a detection rule based on process_creation and file_event to detect writes to sensitive directories such as /etc by processes spawned by Node.js that also load the vulnerable compressing module.
• Monitor network connections originating from processes related to the compressing library after file extraction. Create a Sigma rule based on network_connection and process_creation to detect unusual outbound connections after archive extraction.

Attack Chain

1. An attacker gains control over an environment where the vulnerable openclaw package is utilized.
2. The attacker identifies that the openclaw version is prior to 2026.4.10.
3. The attacker injects a malicious environment variable, such as VIMINIT, EXINIT, LUA_INIT, or HOSTALIASES, into the system’s environment.
4. The openclaw package executes a process that reads and utilizes environment variables without proper sanitization.
5. The injected environment variable overrides the intended behavior of the process. For example, VIMINIT can be used to execute arbitrary vim commands upon startup.
6. This execution leads to arbitrary code execution or modified network behavior, depending on the injected variable. For example, HOSTALIASES can redirect network requests to attacker-controlled servers.
7. The attacker achieves their objective, such as gaining unauthorized access, exfiltrating data, or causing denial of service.
8. The attacker leverages the compromised environment to propagate the attack further.

Impact

The vulnerability allows for arbitrary code execution or network redirection by injecting malicious environment variables. Successful exploitation could lead to unauthorized access to sensitive data, system compromise, or denial-of-service conditions. The specific impact depends on the context in which openclaw is used and the permissions of the user running the affected process. The reported vulnerability has been fixed in openclaw version 2026.4.10 and later.

Recommendation

• Upgrade the openclaw package to version 2026.4.10 or later to remediate the vulnerability, as indicated in the advisory (https://github.com/advisories/GHSA-vfp4-8x56-j7c5).
• Monitor process execution for the presence of environment variables being passed to child processes, focusing on VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Implement the Sigma rule below to detect suspicious process execution involving these variables.
• Implement a system-wide policy to restrict the modification of environment variables by non-administrative users.

Attack Chain

1. Attacker identifies a target system running a vulnerable version of OpenClaw (prior to 2026.3.24).
2. Attacker crafts a malicious .npmrc file. This file contains a configuration that overrides the git executable path to point to a malicious binary under attacker control. For example, git=path/to/malicious/executable.
3. The attacker places the crafted .npmrc file in a location where the npm command will recognize it (e.g., the project directory, user’s home directory, or a global configuration directory).
4. The attacker triggers an npm install command execution within a project that processes plugins or hooks.
5. During the npm install process, npm attempts to resolve git dependencies.
6. Due to the .npmrc configuration, npm executes the attacker-controlled “git” executable specified in the .npmrc file instead of the legitimate git binary.
7. The attacker-controlled executable executes arbitrary code on the system.
8. The attacker achieves arbitrary code execution, potentially leading to system compromise, data exfiltration, or other malicious activities.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary code with the privileges of the user running the npm install command. This can lead to complete system compromise, sensitive data leakage, or denial-of-service. While the specific number of victims is unknown, any system running a vulnerable version of OpenClaw is at risk. Sectors most likely to be impacted are those relying on OpenClaw for plugin and hook management.

Recommendation

• Upgrade OpenClaw to version 2026.3.24 or later to patch the vulnerability (CVE-2026-35641).
• Implement file integrity monitoring on .npmrc files to detect unauthorized modifications (file_event log source).
• Monitor process executions where npm spawns child processes from unusual or unexpected paths, especially those outside standard installation directories (process_creation log source). Use the Sigma rule provided below to detect this behavior.

Attack Chain

1. Attacker identifies a vulnerable OpenClaw instance running version 2026.4.2 or earlier.
2. Attacker authenticates to the OpenClaw instance.
3. Attacker crafts a malicious payload intended to be interpreted as a standard “wake” command.
4. Attacker sends a specially crafted /hooks/wake request or a mapped wake payload containing the malicious content.
5. Due to the vulnerability, OpenClaw incorrectly promotes the attacker-controlled payload into the trusted System: prompt channel.
6. The OpenClaw assistant processes the malicious payload within the System: context, granting it elevated privileges within the application’s trust model.
7. The malicious payload executes arbitrary commands or actions within the OpenClaw environment as a trusted system component.
8. The attacker achieves their objective, which could involve data manipulation, unauthorized access to local resources, or other malicious activities within the scope of the OpenClaw assistant.

Impact

This vulnerability allows an attacker to inject malicious commands into the trusted system prompt channel of OpenClaw. Successful exploitation could lead to unauthorized data access, modification, or execution of arbitrary code within the OpenClaw environment. While the advisory does not specify the number of affected users, any instance running OpenClaw version 2026.4.2 or earlier is vulnerable. The primary risk is the compromise of the user’s local assistant and potentially the data it manages.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to remediate the vulnerability (reference: Affected Packages / Versions).
• Monitor OpenClaw logs for suspicious activity related to the /hooks/wake endpoint (develop custom rules based on your OpenClaw logging configuration).
• Deploy the Sigma rule provided in this brief to detect potential exploitation attempts by monitoring process execution following /hooks/wake requests.

Attack Chain

1. The attacker publishes 36 malicious NPM packages to the NPM registry, using names that mimic legitimate Strapi plugins to entice Strapi developers to install them.
2. A Strapi developer installs one or more of the malicious NPM packages into their Strapi project using the npm install command.
3. Upon installation, the malicious package executes its payload, which may include Redis code execution by injecting crontab entries and deploying PHP/Node.js reverse shells.
4. The payload attempts to escape Docker containers via overlay filesystem discovery, writing shells to host directories and launching a reverse shell.
5. The malicious code harvests credentials from the compromised system, including database passwords, API keys, JWT secrets, Elasticsearch credentials, and wallet/key files.
6. The attacker gains a reverse shell on the compromised system, allowing them to execute arbitrary commands and further explore the network.
7. The malware exfiltrates Strapi configurations and Guardarian API module data to an external attacker-controlled server.
8. The attacker establishes persistent implants on the compromised system to maintain long-term access and control.

Impact

This supply chain attack can lead to severe consequences for Strapi users, particularly those in the cryptocurrency sector. If successful, the attack allows for unauthorized access to sensitive data, including API keys, database credentials, and customer information. The direct targeting of Guardarian suggests a high-value target with potential for significant financial loss. A successful attack could result in data breaches, financial theft, and reputational damage for affected organizations. The ability to escape Docker containers further broadens the attack surface, potentially compromising the host system and other containers running on the same infrastructure.

Recommendation

• Deploy the “Detect Suspicious NPM Package Installation” Sigma rule to identify potentially malicious package installations (see rule below).
• Enable process creation logging with command-line arguments to facilitate detection and investigation of suspicious activity.
• Rotate all credentials, including database passwords, API keys, JWT secrets, and other secrets stored on systems where the malicious packages may have been installed, as recommended in the overview.
• Monitor network connections for reverse shell activity originating from Strapi servers, as described in the Attack Chain (reference network_connection log source in Sigma rules).
• Implement file integrity monitoring to detect unauthorized modifications to Strapi configuration files and other sensitive files (reference file_event log source in Sigma rules).

Attack Chain

1. The attacker identifies a target developer and initiates contact via LinkedIn/Slack, impersonating a legitimate company.
2. The attacker invites the developer to a Slack workspace populated with fake profiles and staged company activity.
3. A meeting is scheduled on Microsoft Teams, during which a fake “RTC Connection” error message is displayed.
4. The attacker prompts the developer to install a “Teams update” to resolve the error.
5. The fake update is a RAT malware, granting the attacker remote access to the developer’s machine.
6. The attacker steals the developer’s npm credentials, bypassing MFA due to already authenticated session.
7. The attacker publishes malicious versions of the Axios package (1.14.1 and 0.30.4) to the npm registry, injecting the plain-crypto-js dependency.
8. Systems installing the compromised Axios versions download and execute the plain-crypto-js package, resulting in RAT deployment and credential theft.

Impact

The compromise of the Axios npm package created a supply chain attack impacting an unknown number of systems across various sectors. Systems that installed the malicious versions (1.14.1 and 0.30.4) within the three-hour window are considered compromised. Successful exploitation results in the installation of a remote access trojan (RAT) capable of stealing credentials, browser data, and other sensitive information from macOS, Windows, and Linux systems. This can lead to further unauthorized access, data breaches, and potential financial loss.

Recommendation

• Monitor npm package installations for the presence of the plain-crypto-js dependency, particularly in projects that use Axios versions 1.14.1 or 0.30.4.
• Implement multi-factor authentication (MFA) for npm accounts and other developer accounts, but recognize that authenticated sessions can be hijacked.
• Deploy the Sigma rule “Detect Suspicious NPM Package Installation” to detect potentially malicious package installations based on unusual parent processes (see below).
• Block the domain associated with the malicious dependency plain-crypto-js at the DNS resolver.
• Educate developers about social engineering tactics and the risks of installing software from untrusted sources.

Attack Chain

1. The attacker compromised the Axios NPM package and injected malicious code.
2. Malicious versions v1.14.1 and v0.30.4 were published to the NPM registry.
3. The malicious packages introduce a fake runtime dependency named ‘plain-crypto-js’.
4. Upon installation of the compromised package, the ‘plain-crypto-js’ dependency executes automatically via a post-install script.
5. The dependency connects to the attacker-controlled IP address 142.11.206.73 to retrieve a platform-specific payload.
6. On MacOS, a binary named “com.apple.act.mond” is downloaded and executed using zsh.
7. On Windows, a PowerShell script (6202033.ps1) is downloaded, and the legitimate powershell.exe is copied to “%PROGRAM DATA%\wt.exe”, and the ps1 script is executed with hidden and execution policy bypass flags.
8. On Linux, a Python backdoor is downloaded and executed. The downloaded executables act as Remote Access Trojans (RATs) exfiltrating credentials and enabling remote management.

Impact

This supply chain attack could lead to significant compromise across numerous organizations using the Axios library. The actors exfiltrate credentials and gain remote management capabilities. All credentials present on systems that installed the malicious package should be considered compromised and immediately rotated. The widespread use of Axios means the impact could extend to many applications and systems, potentially enabling further attacks leveraging compromised credentials. Supply chain attacks like these affecting widely used libraries, as seen in 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review, highlight the substantial risk they pose.

Recommendation

• Roll back to safe Axios versions (v1.14.0 or v0.30.3) immediately to prevent further compromise, as mentioned in the overview.
• Investigate systems that downloaded malicious packages (v1.14.1 or v0.30.4) for signs of follow-on payloads from the actor-controlled infrastructure, as described in the overview.
• Block the actor-controlled IP address 142.11.206.73 and domain Sfrclak.com at the network perimeter to prevent further communication with the malicious infrastructure, per the IOC list.
• Monitor for execution of PowerShell scripts from unusual locations, specifically “%PROGRAM DATA%\wt.exe”, as part of the attack chain.
• Implement a process creation rule to alert when processes connect to external IPs using uncommon parent processes. See example rule below.

Attack Chain

1. Attacker compromises the axios npm package, injecting malicious code into versions 1.14.1 and 0.30.4.
2. The compromised axios package is published to the npm registry.
3. A user of @usebruno/cli executes npm install within the attack window (00:21 UTC - 03:30 UTC on March 31, 2026).
4. The npm package manager resolves the dependency chain and downloads the compromised axios package as a dependency of @usebruno/cli.
5. The malicious code within the axios package executes during the postinstall script phase of the installation process.
6. The postinstall script downloads and installs a cross-platform Remote Access Trojan (RAT) on the user’s system.
7. The RAT establishes a connection to a remote command-and-control (C2) server.
8. The attacker uses the RAT to exfiltrate credentials and other sensitive data from the compromised system.

Impact

This supply chain attack could have resulted in widespread compromise of developer systems that used the @usebruno/cli. While the number of affected users is unknown, the incident could have led to the exfiltration of sensitive credentials and proprietary source code, potentially enabling further attacks against the affected organizations and their customers. The incident underscores the need for robust security measures in software development pipelines and continuous monitoring of third-party dependencies for malicious activity.

Recommendation

• If @usebruno/cli was installed during the affected window, reinstall dependencies to ensure a clean version of axios is used (reference: Impact section).
• Rotate all credentials and secrets that were present on systems where @usebruno/cli was installed during the affected window (reference: Impact section).
• Review and implement the security guidance provided in the Aikido Security blog post to further harden your systems (reference: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat).
• Monitor process creation events for unusual processes spawned by npm or node processes, using the provided Sigma rule (reference: Sigma rule - “Detect Suspicious Process Spawned by NPM”).

Attack Chain

1. A malicious actor crafts or modifies an existing OpenClaw model.
2. The model includes instructions to trigger the appendLocalMediaParentRoots function within the src/media/local-roots.ts file.
3. Due to the self-whitelisting behavior, the function expands the allowed media parent directories, potentially including sensitive system directories.
4. The model leverages the expanded directory access to request the reading of arbitrary files on the host system.
5. The openclaw application processes the model’s file read request without proper validation due to the bypassed whitelisting.
6. Sensitive files, such as configuration files or credential stores, are read by the application.
7. The extracted data, including credentials, are then potentially exfiltrated by the malicious model.
8. The attacker gains unauthorized access to sensitive data or systems.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the host system where the openclaw application is running. This can lead to the exfiltration of sensitive information, including credentials, API keys, or other confidential data. While the exact number of affected installations is unknown, any system running a vulnerable version of the openclaw package (<=2026.3.28) is susceptible. The impact is narrowed because the tool-fs root expansion requires prior configuration.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.31 or later to remediate the vulnerability (reference: Affected Packages / Versions).
• Implement input validation and sanitization to prevent arbitrary file paths from being processed by the appendLocalMediaParentRoots function (reference: src/media/local-roots.ts).
• Deploy the Sigma rule to detect attempts to access sensitive files via the openclaw application (reference: Sigma rule below).
• Review and restrict the tool-fs root expansion configuration to minimize the impact of potential exploitation (reference: Current Maintainer Triage).

Attack Chain

1. Attacker crafts a malicious package that includes the vulnerable openclaw version (<=2026.3.28) as a dependency.
2. The malicious package leverages the heartbeat functionality of openclaw to establish an initial context.
3. The attacker manipulates the heartbeat context inheritance mechanism to gain control of the senderIsOwner property.
4. By exploiting the inheritance flaw, the attacker escalates privileges within the openclaw sandbox environment.
5. The attacker utilizes the escalated privileges to execute arbitrary code within the sandbox.
6. The arbitrary code gains access to sensitive resources or data within the application utilizing the openclaw package.
7. The attacker exfiltrates the compromised data or uses the compromised application as a pivot point for further attacks.

Impact

Successful exploitation of this vulnerability allows attackers to bypass the openclaw sandbox, potentially leading to arbitrary code execution within applications using the vulnerable package. While the exact scope of impact depends on the application using openclaw, the critical severity suggests significant potential for data breaches, service disruption, or further lateral movement within the compromised environment. Given the widespread use of npm packages, a successful exploit could affect a large number of applications and users.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.31 or later. This version contains the fix for the identified vulnerability.
• Deploy the Sigma rules provided below to detect potential exploitation attempts in your environment. Focus on monitoring process creation and file events related to openclaw.
• Implement software composition analysis (SCA) tools to automatically detect vulnerable dependencies like openclaw in your projects.

Attack Chain

1. An attacker identifies a system using a vulnerable version (<=2026.3.28) of the openclaw npm package.
2. The attacker gains access to the system or its environment configuration.
3. The attacker sets either the PIP_INDEX_URL or UV_INDEX_URL environment variable to point to a malicious Python package index server.
4. The system executes a package installation command (e.g., pip install <package>) through openclaw.
5. openclaw, without proper sanitization, uses the attacker-controlled environment variable when resolving package dependencies.
6. The package manager connects to the malicious index server specified in the PIP_INDEX_URL or UV_INDEX_URL variable.
7. The attacker serves malicious or backdoored Python packages through the rogue index.
8. The system installs the malicious packages, potentially compromising the system with arbitrary code execution.

Impact

Successful exploitation of this vulnerability could lead to the installation of malicious Python packages on systems utilizing the vulnerable openclaw version. This could result in arbitrary code execution, data theft, or other malicious activities, depending on the contents of the malicious packages. The scope is somewhat limited since only allowlisted execution paths are affected, which reduces the blast radius.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.31 or later to remediate the vulnerability.
• Monitor process executions involving openclaw and the use of PIP_INDEX_URL or UV_INDEX_URL environment variables. Deploy the Sigma rule Detect OpenClaw Using Suspicious Index URL to detect exploitation attempts.
• Implement strict allowlisting of package management execution paths to further limit the potential impact.
• Enable process creation logging to capture command line arguments and environment variables for the openclaw process.

Attack Chain

1. Compromise Maintainer Account: An attacker gains unauthorized access to the credentials of an Axios npm package maintainer.
2. Publish Malicious Package Versions: The attacker uses the compromised account to publish malicious versions of the Axios package (axios@1.14.1 and axios@0.30.4) to the npm registry.
3. Dependency Resolution: Developers or automated build systems unknowingly download and incorporate the malicious Axios versions into their projects during dependency resolution.
4. Malicious Code Execution: The malicious code within the Axios package executes within the context of the affected applications.
5. Privilege Escalation (If Applicable): Depending on the vulnerabilities exploited, the attacker may attempt to escalate privileges within the compromised environment.
6. Data Exfiltration/Lateral Movement: The attacker uses the compromised application as a beachhead to exfiltrate sensitive data or move laterally to other systems on the network.
7. Establish Persistence: The attacker establishes persistent access to the compromised environment to maintain control.
8. Achieve Objectives: The attacker achieves their ultimate objectives, which could include data theft, system disruption, or further compromise of the software supply chain.

Impact

This supply chain attack on the Axios npm package has the potential to affect millions of applications that depend on the library. Successful exploitation could lead to data breaches, unauthorized access to systems, and widespread disruption of services. The exact scope of the impact depends on the nature of the malicious code injected into the Axios package and the vulnerabilities it exploits.

Recommendation

• Monitor npm package installations for the presence of axios@1.14.1 and axios@0.30.4 and investigate any occurrences (refer to the Overview section).
• Implement integrity checks for npm packages to detect unauthorized modifications to dependencies.
• Deploy the provided Sigma rule to detect suspicious process execution within applications using the Axios library (see rule: “Detect Suspicious Process Execution from Axios”).

Attack Chain

1. The attacker gains initial access to the agent workspace.
2. The attacker plants a symbolic link named IDENTITY.md within the agent workspace. This symlink points to a sensitive system file, such as /etc/crontab or ~/.ssh/authorized_keys.
3. The ensureAgentWorkspace function is called, but the exclusive-create flag (wx) skips creation due to the existing symlink (EEXIST error).
4. The attacker triggers the agents.create or agents.update API endpoint, for example, by sending an HTTP POST request.
5. The agents.create or agents.update handler constructs the path to IDENTITY.md using path.join(workspaceDir, DEFAULT_IDENTITY_FILENAME).
6. The vulnerable fs.appendFile function is called to append agent metadata (name, emoji, avatar) to the IDENTITY.md file. Because fs.appendFile follows symlinks, the content is written to the attacker-controlled target file.
7. Attacker-controlled data is appended to the target file.
8. If the target file is a cron configuration file, this leads to remote code execution. If it’s an SSH authorized_keys file, this leads to unauthorized access.

Impact

Successful exploitation allows an attacker to append attacker-controlled content to arbitrary files on the system. This can lead to:

• Remote Code Execution: By appending malicious entries to /etc/crontab or user crontab files.
• Persistent Code Execution: By modifying shell configuration files like ~/.bashrc or ~/.profile.
• Unauthorized SSH Access: By appending SSH keys to ~/.ssh/authorized_keys.
• Service Disruption: By modifying application configuration files.

The vulnerability affects openclaw versions 2026.2.22 and earlier, and no patches are currently available. The number of affected systems depends on the adoption rate of the openclaw package.

Recommendation

• Monitor file creation events within agent workspace directories for the creation of symbolic links using file_event logs.
• Implement and deploy the provided Sigma rule to detect exploitation attempts by monitoring fs.appendFile calls related to IDENTITY.md without symlink resolution.
• Restrict access to the agent workspace directory to prevent attackers from planting symlinks.
• Upgrade to a patched version of openclaw when available.

Attack Chain

1. Attacker crafts a malicious Nostr DM specifically designed to trigger computationally expensive crypto operations within OpenClaw.
2. Attacker sends the malicious DM to a user running a vulnerable version of the openclaw package.
3. The OpenClaw application receives the DM and, due to the vulnerability, proceeds to decrypt the message content before validating the sender’s authorization.
4. OpenClaw attempts to perform cryptographic operations, such as decryption or signature verification, based on the contents of the malicious DM.
5. The application dispatches internal tasks or events based on the decrypted (but unauthorized) message content.
6. Repeatedly sending these crafted messages can lead to denial of service due to CPU exhaustion or memory over-utilization.
7. (If applicable) Depending on the purpose of the cryptographic operations, the attacker may be able to glean partial information or influence the application’s state without full authentication.

Impact

Successful exploitation of this vulnerability could lead to denial-of-service conditions due to excessive CPU usage and memory consumption on systems running vulnerable versions of OpenClaw. Attackers could potentially trigger resource-intensive cryptographic operations without proper authorization, impacting the availability and performance of the application. In specific scenarios, and depending on the application’s functionality, partial information disclosure or unauthorized state changes might be possible. This vulnerability affects any application using the openclaw npm package prior to version 2026.3.22.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.22 or later to remediate the vulnerability (reference affected versions).
• Monitor network traffic for unusually high volumes of inbound Nostr DM messages targeting applications using the openclaw package (network_connection log source).
• Implement rate limiting on Nostr DM processing to prevent denial-of-service attacks (network_connection/firewall log source).
• Deploy the provided Sigma rule to detect suspicious activity related to the vulnerable code paths (process_creation/file_event log source).

Attack Chain

1. Initial Compromise: TeamPCP gains unauthorized access to Trivy infrastructure, potentially exploiting a vulnerability or using stolen credentials.
2. Malware Injection: The attackers inject malicious code into a legitimate Trivy package or create a new package containing the CanisterWorm payload.
3. NPM Deployment: TeamPCP publishes the compromised or new package to the NPM registry, making it available for download by unsuspecting users.
4. Package Installation: Developers unknowingly download and install the malicious package through NPM, integrating CanisterWorm into their projects.
5. Worm Propagation: CanisterWorm begins to propagate itself by infecting other NPM packages and dependencies within the compromised project.
6. Lateral Movement: The worm replicates and spreads to other systems and projects that depend on the infected packages.
7. Persistence: The malware establishes persistence within infected systems to maintain its presence and continue spreading.
8. Payload Delivery: CanisterWorm executes its malicious payload, which could include data theft, code injection, or other harmful activities.

Impact

The deployment of CanisterWorm on NPM poses a significant threat to the software supply chain. Successful infection can lead to widespread compromise of applications and systems that rely on NPM packages. The specific number of victims and the full extent of damage is currently unknown, but the incident has the potential to affect numerous organizations across various sectors that utilize NPM and Trivy in their development processes. Successful exploitation could result in data breaches, service disruptions, and reputational damage.

Recommendation

• Monitor NPM package installations for suspicious activity and unexpected dependencies to identify potential CanisterWorm infections.
• Implement integrity checks for NPM packages to verify their authenticity and prevent the installation of tampered packages.
• Analyze process creation events for suspicious processes originating from NPM-related processes using the provided Sigma rules.
• Regularly scan systems for known malware signatures to detect CanisterWorm and other potential threats.
• Review and strengthen the security of your software supply chain to mitigate the risk of future attacks.

Attack Chain

1. A developer installs a malicious package from the npm registry containing PylangGhost.
2. During the installation process, a post-install script or similar mechanism executes, injecting the PylangGhost RAT into the developer’s environment.
3. The RAT establishes a connection to a command-and-control (C2) server controlled by the attacker.
4. The C2 server sends commands to the infected system, instructing the RAT to perform specific actions.
5. The RAT executes the commands, potentially including data exfiltration, downloading and executing additional payloads, or establishing persistence.
6. Sensitive data, such as credentials, API keys, or source code, is exfiltrated from the compromised system to the C2 server.
7. The attacker gains remote access and control over the compromised system, enabling further malicious activities.

Impact

The presence of PylangGhost on the npm registry introduces a significant supply chain risk. Successful infection allows attackers to gain remote access to developer systems, potentially leading to the theft of sensitive source code, credentials, and other proprietary information. The compromise can extend to applications built using the infected packages, impacting downstream users and potentially leading to widespread data breaches or service disruptions. The number of affected victims is currently unknown, but the risk is widespread due to the popularity of the npm registry.

Recommendation

• Monitor npm package installations for suspicious post-install scripts or unexpected network connections (see related Sigma rules).
• Implement strong dependency scanning tools to identify and remove potentially malicious packages from your projects.
• Analyze network connection logs for connections to unusual or malicious domains after npm package installations (see related Sigma rules).
• Enable process monitoring for any processes spawned during or after npm package installations.

Attack Chain

1. Attacker identifies a vulnerable OpenClaw instance (version <= 2026.4.21) utilizing the MCP loopback.
2. Attacker crafts a malicious HTTP request targeting the MCP loopback endpoint.
3. Attacker injects a forged “sender-owner” header into the HTTP request, claiming owner privileges.
4. The vulnerable OpenClaw instance incorrectly trusts the spoofed “sender-owner” header.
5. The application bypasses owner authorization checks due to the forged header.
6. Attacker gains access to owner-gated operations within the MCP loopback.
7. Attacker performs unauthorized actions, such as modifying configurations or accessing sensitive data.
8. Attacker maintains unauthorized access, potentially escalating privileges further within the system.

Impact

Successful exploitation of this vulnerability could allow unauthorized access to critical system functions intended only for the owner. This could lead to configuration changes, data breaches, or other malicious activities depending on the specific owner-gated operations exposed within the OpenClaw MCP loopback. The severity depends on the permissions granted to the “owner” context within the application but could be critical.

Recommendation

• Upgrade OpenClaw to version 2026.4.22 or later to remediate the vulnerability as described in the fix commit 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19.
• Implement network monitoring to detect suspicious HTTP requests containing potentially forged “sender-owner” headers targeting MCP loopback endpoints using the Sigma rule Detect OpenClaw MCP Loopback Owner Spoofing.
• Review and audit existing OpenClaw deployments to identify and patch vulnerable instances quickly.

Attack Chain

1. Attacker gains control over the Electerm update server or performs a man-in-the-middle attack.
2. The attacker crafts malicious release metadata, including a crafted version string containing command injection payloads.
3. A user on a Linux system executes npm install -g electerm to install or update Electerm.
4. The install.js script fetches the malicious release metadata from the compromised update server.
5. The runLinux() function appends the attacker-controlled version string directly into an exec("rm -rf ...") command.
6. The exec() function executes the command, resulting in arbitrary command execution with the privileges of the user running npm install.
7. The attacker can then tamper with local files, install backdoors, or escalate privileges.
8. The attacker achieves complete system compromise, potentially exfiltrating sensitive data or using the compromised system as a pivot point.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary system commands on the victim’s machine. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and further propagation of the attack within the network. Given the nature of npm install, developers are primarily at risk. The impact could be significant for development environments.

Recommendation

• Apply the following rule to detect command injection attempts within npm installations referencing the electerm package: Electerm NPM install Command Injection.
• Monitor network traffic for connections to unexpected or suspicious update servers that could be serving malicious Electerm release metadata using network connection logs.
• While the vulnerability is patched in later versions, ensure users are aware of the risks associated with running older versions of Electerm (< 3.3.8).

Attack Chain

1. An attacker crafts a malicious OpenClaw package or leverages an existing package.
2. The package contains a symlink within the intended sandbox directory.
3. The OpenClaw application attempts to write to a file via the symlink.
4. Between the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.
5. OpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.
6. This allows the attacker to overwrite or modify arbitrary files on the system.
7. The attacker leverages this capability to gain elevated privileges or compromise sensitive data.

Impact

Successful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.

Recommendation

• Upgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).
• Monitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule Detect OpenClaw Sandbox Escape via Symlink to detect potential exploitation attempts.
• Implement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).