Conversation
There was a problem hiding this comment.
Pull request overview
Adds an incident-response kit (docs + scripts) to scan for and remediate the reported axios supply-chain compromise by detecting affected versions / malicious dependency and applying mitigation steps.
Changes:
- Added incident write-up, IOCs, and remediation steps in
axios-supply-chain/README.md. - Added automated scanners for macOS/Linux (bash) and Windows (PowerShell) to locate affected projects and inject mitigations.
- Added EditorConfig + VS Code extension recommendation to standardize formatting.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| axios-supply-chain/README.md | Documents incident details, IOCs, manual and automated remediation workflows. |
| axios-supply-chain/axios-scan.sh | Bash scanner to locate Node projects, detect affected axios/malicious dep, and inject overrides. |
| axios-supply-chain/axios-scan.ps1 | PowerShell scanner with similar detection/mitigation plus optional Windows firewall blocking. |
| .vscode/extensions.json | Recommends EditorConfig extension for consistent formatting. |
| .editorconfig | Establishes repo-wide formatting rules. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Bash (axios-scan.sh):
- Remove global error-silent flag variables (HAS_NPM/JQ/NET) that were
assigned but never read
- Guard inaccessible project dirs explicitly before detect_package_manager
so cd failures in subshells are visible rather than silently swallowed
- Rewrite inject_overrides with trap RETURN cleanup, explicit jq/mv error
messages, and separate read-failure path for malformed package.json
- Route find stderr to temp file and report count of skipped directories
- Fix grep -qE → grep -qF for C2 IP (dots are regex wildcards otherwise)
- Fix ls -la → [[ -f ]] for /tmp/ld.py check to avoid polluting stdout
- Extend jq version-range stripping to cover <=, >, < prefixes
- Clarify branch param contract in inject_overrides comment
- Fix banner to print scan path below the box (avoids misalignment for
long $HOME paths)
- Clarify C2 check echo: domain is not resolved in socket output
PowerShell (axios-scan.ps1):
- Remove global $ErrorActionPreference = 'SilentlyContinue' that silenced
all non-terminating errors across the entire script
- Fill all empty/bare catch{} blocks with Write-Warning logging
- Replace PowerShell JSON fallback with a refusal + manual instructions
(ConvertTo-Json corrupts single-element arrays and reorders keys)
- Add try/catch/finally to jq path in Set-AxiosOverride so .tmp is always
cleaned up and Move-Item uses -ErrorAction Stop
- Extend version-range stripping regex to cover > and < prefixes
- Fix banner to print scan path below the box (long $USERPROFILE alignment)
- Add comment noting /tmp/ld.py check is Linux-specific, absent on Windows
- Route package manager stderr through catch block instead of 2>$null
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Anchor quick-check grep to axios@X.Y.Z pattern to avoid false positives (e.g. 1.14.10 previously matched 1.14.1) - Clarify that scripts auto-inject overrides.axios and print remediation steps — they do NOT automatically downgrade axios or remove plain-crypto-js Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…rding - Split mitigation block so inject_overrides and axios steps only fire when an affected axios version is detected; RAT-only projects get a separate targeted remediation block without incorrect axios override injection - Anchor version extraction to axios@X.Y.Z pattern (sed strip) to avoid matching project version or other dep versions in pm list output - Fix preflight message: jq does not preserve formatting exactly, only JSON types and array structure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ng, UTF-8 BOM - Split mitigation block so Set-AxiosOverride and axios steps only fire when an affected axios version is detected; RAT-only projects get a targeted remediation block without incorrect axios override injection - Anchor Invoke-PmList version extraction to axios@X.Y.Z pattern to avoid matching project version or other deps in pm list output - Fix Set-AxiosOverride jq comment: preserves JSON types/array structure, not "formatting and all field types" - Fix Write-Preflight jq message: formatting may change (key order, whitespace) - Replace Set-Content -Encoding UTF8 with WriteAllLines + UTF8Encoding($false) to avoid writing UTF-8 BOM on PowerShell 5.1 (corrupts package.json parsers) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Addressing all open Copilot review comments — fixed in commits Version extraction false-positive (#3017060088, #3017060112, #3017060129, #3017060206) inject_overrides called for RAT-only projects (#3017060163, #3017060176, #3017060235) "jq preserves exactly" misleading (#3017156816, #3017156878, #3017156913) UTF-8 BOM on PS 5.1 (#3017156898) README quick-check false positive (#3017156740) README "apply mitigations automatically" (#3017156933) |
Summary
Adds an axios supply-chain attack scanner toolkit for the incident on 2026-03-30, plus all fixes from post-merge review.
Scanner scripts added
axios-supply-chain/axios-scan.sh— Bash scanner for macOS/Linuxaxios-supply-chain/axios-scan.ps1— PowerShell scanner for Windowsaxios-supply-chain/README.md— Incident documentation and usage guideFixes applied after review
Bash (
axios-scan.sh)cdso failures aren't silently swallowed by|| true.editorconfigcompliance)inject_overrideswithtrap RETURNcleanup and explicit error messages onjq/mvfailurejqread failure (malformed JSON no longer silently proceeds to write)findstderr to temp file and report count of skipped directoriesgrep -qE→grep -qFfor C2 IP check (unescaped dots are regex wildcards)<=,>,<prefixesls -la /tmp/ld.pywith[[ -f ... ]]to avoid polluting stdoutHAS_NPM/HAS_JQ/HAS_NETflag variables$HOMEpathsinject_overridesbranch param contract in commentPowerShell (
axios-scan.ps1)$ErrorActionPreference = 'SilentlyContinue'that silenced all non-terminating errorscatch {}blocks withWrite-Warninglogging.editorconfigcompliance)ConvertTo-Jsoncorrupts single-element arrays and reorders keys on PS 5.x)try/catch/finallyto jq path so.tmpis always cleaned up andMove-Itemuses-ErrorAction Stop>and<prefixes$USERPROFILEpaths/tmp/ld.pycheck is Linux-specific2>$nullREADME
jq, declared-version detection falls back to regex (may miss non-standard fields) andoverridesauto-injection is disabled entirelyMacos→macOS