Heads up: plain-crypto-js (from the axios compromise) is in your lockfile #608
Description
Hey, I ran a GitHub code search for plain-crypto-js in committed package-lock.json files and your repo came up. You're getting this because of that.
What happened: On March 31 2026, two malicious axios versions (1.14.1, 0.30.4) were published to npm via a hijacked maintainer account. Both pull in plain-crypto-js@4.2.1, a dependency whose sole purpose is to drop a cross-platform RAT on install. The versions have been yanked from npm, but the reference is still in your repo's history.
Checklist
I would recommend pruning the reference from your lockfile in any case (who wants a malware ref on their repo, right?). So here's what you can do:
- Pin axios to a clean version:
1.14.0(1.x) or0.30.3(0.x). - Regenerate your lockfile from scratch:
rm -rf node_modules package-lock.json && npm install - If any successful installation of this package (e.g.
npm install) ever ran on a CI/CD pipeline, dev machine, your home computer, or otherwise, assume compromise. Rotate npm tokens, SSH keys, cloud creds,.envsecrets, everything on that box. - Check for RAT artifacts:
- macOS:
/Library/Caches/com.apple.act.mond - Windows:
%PROGRAMDATA%\wt.exe - Linux:
/tmp/ld.py
- macOS:
- Search your machine for any local copies of the package:
- macOS/Linux:
find / -type d -name "plain-crypto-js" 2>/dev/null - Windows:
dir /s /b "plain-crypto-js" C:\
- macOS/Linux:
- Check for the disguised powershell copy (Windows only):
- Look for
%PROGRAMDATA%\wt.exe, the malware copies powershell.exe there - Compare hash:
certutil -hashfile "%PROGRAMDATA%\wt.exe" SHA256against your realpowershell.exe
- Look for
If any installation succeeded or a RAT artifact is found: treat the system as fully compromised. Rotate all credentials on any system where the malicious package ran: npm tokens, AWS access keys, SSH private keys, cloud credentials (GCP, Azure), CI/CD secrets, and any values present in .env files accessible at install time. Emails, passwords, credit card details, notes, home addresses, where you hide your car keys, the lot.
Do not attempt to clean in place, rebuild from a known-good state, e.g. a rebuild of your entire machine, re-installing Windows, or taking your Mac to the Apple Store.
From what I can see, the malware runs via a postinstall hook in the package (node setup.js). It appears to phone home to a C2 server, self-deletes setup.js after execution, and on Windows disguises a copy of powershell.exe as wt.exe in PROGRAMDATA. If you find any node_modules/plain-crypto-js directory anywhere on your system, assume compromise.
If you vendored the dependency
If you committed node_modules/ and the actual plain-crypto-js package is in your tree, removing it in a new commit does not remove it from your repository. Git is append-only. The poisoned files exist in every commit and every branch they were ever checked into. Anyone who checks out, bisects, or cherry-picks across those commits will have the malicious code on disk.
You need to rewrite history to scrub it:
# option A: git-filter-repo (recommended)
pip install git-filter-repo
git filter-repo --path-glob '*/plain-crypto-js/*' --invert-paths
# option B: BFG Repo-Cleaner
bfg --delete-folders plain-crypto-js
git reflog expire --expire=now --all && git gc --prune=now --aggressiveThen force-push and have all contributors re-clone.
References
Disclaimer
The history rewrite steps above are destructive operations. They rewrite commits, invalidate SHAs, and require a force-push. What you do with your computer, and your repository, is entirely your call. This issue is informational only and is not professional security advice. I'm just a person who ran a search and wanted to make sure affected maintainers heard about it.
If this is a false positive (research repo, test fixture, etc.), sorry for the noise, feel free to close.