On March 31, 2026, malicious versions of axios were published to npm. Drop your lockfile below to find out if you're affected. Takes 2 seconds.
Drop your lockfile here
package-lock.json, yarn.lock, or pnpm-lock.yaml
or paste its contents
Couldn't parse that file. Make sure you're pasting the full contents of a package-lock.json, yarn.lock, or pnpm-lock.yaml file.
Your lockfile tells us what was installed. These commands check if malware is running on your machine right now. Open your terminal and run the one for your operating system.
macOS
ls -la /Library/Caches/com.apple.act.mond 2>&1
Checks for a C++ RAT binary disguised as an Apple system daemon. If you see file details, your system is compromised. If you see "No such file or directory," you're clean.
Linux
ls -la /tmp/ld.py 2>&1
Checks for a Python RAT script dropped by the malware. "No such file" = clean. If the file exists, your system is compromised.
Windows (PowerShell)
Test-Path "$env:PROGRAMDATA\wt.exe"
Checks for a PowerShell RAT disguised as Windows Terminal. "False" = clean. "True" = compromised. (Note: this is NOT your real Windows Terminal — the malware copies PowerShell and renames it to hide.)
All platforms — check for the malicious dependency
find . -path "*/node_modules/plain-crypto-js" -type d 2>/dev/null
Run this in your project folder. The plain-crypto-js package is the trojan horse — it's a typosquat of the real crypto-js library. If this returns any results, that project was affected. No output = clean.
All platforms — check for C2 communication
nslookup sfrclak.com
This is the attacker's command-and-control domain. If it resolves to 142.11.206.73, it's still active. To block it on your machine: echo "0.0.0.0 sfrclak.com" | sudo tee -a /etc/hosts
Get plain-English security alerts when supply chain attacks happen — before they hit the news.