GMS-2026-68: Embedded Malicious Code with vendored remote access trojan

March 31, 2026

Multiple versions of the npm package @shadanai/openclaw contain vendored malicious code related to the axios supply chain attack of March 31, 2026. These versions were published with embedded malware that deploys a cross-platform remote access trojan. The package should be considered entirely malicious and removed from any system where it was installed.

References

github.com/advisories/GHSA-fw8c-xr5c-95f9
socket.dev/blog/axios-npm-package-compromised

Code Behaviors & Features

Detect and mitigate GMS-2026-68 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →