Taggart

This is a big deal. Already seeing evidence of this by way of OpenClaw installations.

https://opensourcemalware.com/blog/axios-compromised

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

One of the most popular JavaScript packages on earth Axios has been compromised

The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever

4:49amWeb
Show threadTaggart6h ago

The malware has been pulled by NPM, but because of the package version, Defender and other endpoint security tools may alert on OpenClaw installations as of right now.

https://github.com/openclaw/openclaw/issues/58140

[Bug]: Running official install command triggers Windows Defender - malicious batch file and registry keys added · Issue #58140 · openclaw/openclaw

Bug type Behavior bug (incorrect output/state without crash) Beta release blocker No Summary When running the official installation command from https://openclaw.ai, malicious changes are made to y...

GitHub
Show threadChristoffer S.7h ago

@mttaggart I'm thinking that this is too big... this must be more than what the attackers can handle, no?

It's absolutely bonkers in size, and the amount of affected orgs... it's hard to grasp the entirety of it all. Jesus fucking christ.

Show threadTaggart6h ago
@nopatience Luckily it's only a couple of versions, but still gnarly.
Show threadTaggart6h ago
@nopatience Exceeeept it's used in OpenClaw installs https://github.com/openclaw/openclaw/issues/58140
Show threadChristoffer S.6h ago

@mttaggart I guess... time will tell the impact this will have. But I can't help but think... how many will NOT know that they are affected? I mean... there's a lot of YOLO "coders" out there with absolutely zero idea of CI/CD security.

I mean... I'm probably close to being one of them. Fuck... I'm just like them. As a hobby coder I don't really have protection against this.

I don't pull new packages ... that's it, I have a 7 day limit on updating packages... anyway, I digress.

Show threadTaggart6h ago
@nopatience This is where tools like Trivy can help—oh wait
Show threadChristoffer S.6h ago

@mttaggart Imagine that... being more secure for not using vulnerbility scanners.

There's... a certain level of obvious irony in that.

Show threadscottley6h ago
@mttaggart thank you! Appreciate the sharing!!!
Show threadscottley6h ago
@mttaggart looks like npm delisted the vulnerable versions quickly...
Show threadTaggart6h ago
@scottley Yep, and the staged malware dependency. No longer an active threat, but a hunting project. It's such a pain that this can hit a CI/CD pipeline if it runs at the wrong time.
Show threadscottley5h ago
@mttaggart i have to cover my devs, my servers, my customers... having npm dive on the grenade says a lot... that is enormous... they learned a lot from Shai Halud. Package providers have a much bigger responsibility than they expected...
Show threadRobin Palotai2h ago

@mttaggart not that anyone cares, but I strongly consider returning to old-school SSR-only pages, without any (or at most a pageful of libless) JS.

Looking at you, #htmx