GMS-2026-67: Embedded Malicious Code with vendored remote access trojan

March 31, 2026

Version 0.0.130 of the npm package @qqbrowser/openclaw-qbot contains vendored malicious code related to the axios supply chain attack of March 31, 2026. This version was published with embedded malware that deploys a cross-platform remote access trojan. The package should be considered entirely malicious and removed from any system where it was installed.

References

github.com/advisories/GHSA-fw8c-xr5c-95f9
socket.dev/blog/axios-npm-package-compromised

Code Behaviors & Features

Detect and mitigate GMS-2026-67 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →