Check if your computer was affected by the axios npm supply chain attack. One command. No install needed.
Open PowerShell and paste this:
irm https://raw.githubusercontent.com/SufficientDaikon/axios-scanner/main/get.ps1 | iex
curl -fsSL https://raw.githubusercontent.com/SufficientDaikon/axios-scanner/main/axios-scanner.sh | bash
On March 31, 2026, the npm account of the primary axios maintainer (114M weekly downloads) was hijacked. Two malicious versions were published containing a Remote Access Trojan. The attack was live for ~3 hours before being reverted.
Your project pulls the latest axios matching your version range (e.g. ^1.14.0)
The malicious version adds a hidden dependency: plain-crypto-js
plain-crypto-js runs setup.js immediately after install — no user interaction needed
The script contacts sfrclak.com:8000 and downloads a backdoor for your OS
Shell commands, file theft, credential exfiltration. The virus then self-destructs to hide evidence.
The scanner shows live progress the entire time. You'll always know it's working and how far along it is.
Finds all copies of axios on your computer and checks if any are the malicious versions (1.14.1 or 0.30.4)
Searches for the malicious "plain-crypto-js" package and suspicious setup.js scripts inside axios folders
Checks for files the virus drops on your system (wt.exe, 6202033.vbs, 6202033.ps1)
Checks if your computer ever contacted the attacker's server (sfrclak.com / 142.11.206.73)
Checks scheduled tasks, startup programs, and registry for anything the attacker left behind
Scans package-lock.json, yarn.lock, and pnpm-lock.yaml for references to compromised versions
Unplug ethernet or turn off Wi-Fi immediately.
This will automatically remove the malicious files it found.
Email, GitHub, npm, cloud services, everything. The attacker had full shell access.
SSH keys, API keys, npm tokens, GitHub PATs. Revoke and recreate all of them.
Look for commits you didn't make. Audit recent CI/CD runs for unauthorized deployments.