docs(axios-supply-chain): clarify jq dependency impact and platform-specific behavior#2
docs(axios-supply-chain): clarify jq dependency impact and platform-specific behavior#2
Conversation
Bash (axios-scan.sh):
- Remove global error-silent flag variables (HAS_NPM/JQ/NET) that were
assigned but never read
- Guard inaccessible project dirs explicitly before detect_package_manager
so cd failures in subshells are visible rather than silently swallowed
- Rewrite inject_overrides with trap RETURN cleanup, explicit jq/mv error
messages, and separate read-failure path for malformed package.json
- Route find stderr to temp file and report count of skipped directories
- Fix grep -qE → grep -qF for C2 IP (dots are regex wildcards otherwise)
- Fix ls -la → [[ -f ]] for /tmp/ld.py check to avoid polluting stdout
- Extend jq version-range stripping to cover <=, >, < prefixes
- Clarify branch param contract in inject_overrides comment
- Fix banner to print scan path below the box (avoids misalignment for
long $HOME paths)
- Clarify C2 check echo: domain is not resolved in socket output
PowerShell (axios-scan.ps1):
- Remove global $ErrorActionPreference = 'SilentlyContinue' that silenced
all non-terminating errors across the entire script
- Fill all empty/bare catch{} blocks with Write-Warning logging
- Replace PowerShell JSON fallback with a refusal + manual instructions
(ConvertTo-Json corrupts single-element arrays and reorders keys)
- Add try/catch/finally to jq path in Set-AxiosOverride so .tmp is always
cleaned up and Move-Item uses -ErrorAction Stop
- Extend version-range stripping regex to cover > and < prefixes
- Fix banner to print scan path below the box (long $USERPROFILE alignment)
- Add comment noting /tmp/ld.py check is Linux-specific, absent on Windows
- Route package manager stderr through catch block instead of 2>$null
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Closing — this was opened against the wrong base branch. The fixes from this branch are already included in PR #1 (feature → develop). |
There was a problem hiding this comment.
Pull request overview
Adds an “axios supply-chain attack” incident runbook to the repo, including cross-platform scanner/remediation scripts plus repo-wide editor configuration to keep formatting consistent.
Changes:
- Introduces Bash and PowerShell scanners that search user-home projects for affected
axiosversions / maliciousplain-crypto-jsand print or apply mitigations (including optionaloverridesinjection). - Adds incident documentation (IOCs, manual checks, remediation steps, references).
- Adds
.editorconfigand VS Code extension recommendations for consistent formatting.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
axios-supply-chain/README.md |
Incident documentation and usage guidance for the scanners/remediation steps. |
axios-supply-chain/axios-scan.sh |
macOS/Linux Bash scanner with optional jq-based overrides injection and C2/artifact checks. |
axios-supply-chain/axios-scan.ps1 |
Windows PowerShell scanner with optional jq-based overrides injection and Windows Firewall C2 block. |
.vscode/extensions.json |
Recommends EditorConfig extension in VS Code. |
.editorconfig |
Establishes formatting rules (tabs by default; 2-space JSON/YAML/MD). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| local tmp_file="${pkg_file}.tmp" | ||
| # Write to a temp file first so the original is not truncated if jq fails mid-run | ||
| trap 'rm -f "${tmp_file}"' RETURN | ||
| if ! jq --arg v "${safe_version}" '.overrides.axios = $v' "${pkg_file}" > "${tmp_file}"; then | ||
| echo -e " ${RED}[!] jq failed writing to ${tmp_file} — ${pkg_file} NOT modified.${RESET}" >&2 | ||
| return 1 | ||
| fi | ||
| if ! mv "${tmp_file}" "${pkg_file}"; then | ||
| echo -e " ${RED}[!] Failed to rename temp file — original intact. Temp file left at ${tmp_file}.${RESET}" >&2 |
There was a problem hiding this comment.
inject_overrides sets a global trap ... RETURN and never unsets it. After the first call, that RETURN trap will run on every subsequent function return (e.g., detect_package_manager), and will attempt to rm a ${tmp_file} that no longer exists, which can spam errors or abort the script under set -e. Consider avoiding a RETURN trap here (explicit cleanup on each error path) or ensure the trap is scoped/unset before returning.
Also, ${pkg_file}.tmp is a predictable temp filename in a user-writable directory; prefer mktemp to avoid collisions/symlink risks.
| _skipped=$(grep -c . "${_find_errors}" 2>/dev/null || echo 0) | ||
| rm -f "${_find_errors}" | ||
| if [[ "${_skipped}" -gt 0 ]]; then | ||
| echo -e "${YELLOW}[!] ${_skipped} director(ies) could not be scanned (permission denied). Run as root for full coverage.${RESET}" |
There was a problem hiding this comment.
Typo in user-facing message: "director(ies)" should be "directory(ies)".
| echo -e "${YELLOW}[!] ${_skipped} director(ies) could not be scanned (permission denied). Run as root for full coverage.${RESET}" | |
| echo -e "${YELLOW}[!] ${_skipped} directory(ies) could not be scanned (permission denied). Run as root for full coverage.${RESET}" |
| ## Automated scanning | ||
|
|
||
| This repo contains two scanner scripts that walk every Node.js project under `$HOME`, check for affected versions, and apply mitigations automatically. | ||
|
|
||
| ### macOS / Linux | ||
|
|
||
| ```bash | ||
| ./axios-scan.sh | ||
| ``` | ||
|
|
||
| Requires: `bash`, `npm`, `jq` (optional but strongly recommended — without it, declared-version detection for projects without `node_modules` falls back to regex parsing which may miss non-standard dependency fields, and `overrides` auto-injection is disabled entirely). |
There was a problem hiding this comment.
The stated requirements are more restrictive than the scripts: axios-scan.sh can use pnpm/yarn and can still do file-based detection even if npm is missing. Also the Windows script scans under %USERPROFILE%, not $HOME. Consider rewording to "Requires: bash; at least one of npm/pnpm/yarn (recommended); jq optional" and describe scanning the user's home directory generically across platforms.
| # axios Supply-Chain Attack — Scanner & Remediation | ||
|
|
||
| **Incident date:** 2026-03-30 | ||
| **Severity:** Critical — Remote Access Trojan (RAT) dropper | ||
|
|
There was a problem hiding this comment.
PR title/description indicate this is a documentation-only clarification, but this PR also introduces new remediation/scanner scripts and editor configuration files. Please update the PR title/description (or split the change) so reviewers/users understand the scope and operational impact.
| fi | ||
|
|
||
| if command -v jq &>/dev/null; then | ||
| echo -e " ${GREEN}jq ✓ found — overrides injection will preserve package.json exactly${RESET}" |
There was a problem hiding this comment.
The output claim that jq-based injection will "preserve package.json exactly" is inaccurate: jq will rewrite JSON formatting (whitespace/newlines) and may change ordering. Suggest rephrasing to focus on preserving JSON structure/types (and avoiding PowerShell ConvertTo-Json pitfalls), rather than exact formatting.
| echo -e " ${GREEN}jq ✓ found — overrides injection will preserve package.json exactly${RESET}" | |
| echo -e " ${GREEN}jq ✓ found — overrides injection will preserve package.json structure/types${RESET}" | |
| echo -e " (avoids PowerShell ConvertTo-Json re-serialization pitfalls)${RESET}" |
| Write-Host " jq + found — overrides injection will preserve package.json exactly" -ForegroundColor Green | ||
| } else { | ||
| Write-Host " jq x missing — auto-injection disabled to avoid corrupting package.json" -ForegroundColor Yellow |
There was a problem hiding this comment.
Comment/text claims jq "preserves arrays, formatting, and all field types" / "preserve package.json exactly". jq will preserve data types, but it will rewrite formatting (whitespace/newlines) and may change key ordering. Consider adjusting wording to avoid promising exact formatting preservation.
| Write-Host " jq + found — overrides injection will preserve package.json exactly" -ForegroundColor Green | |
| } else { | |
| Write-Host " jq x missing — auto-injection disabled to avoid corrupting package.json" -ForegroundColor Yellow | |
| Write-Host " jq + found — structured overrides with preserved JSON fields/types" -ForegroundColor Green | |
| } else { | |
| Write-Host " jq x missing — auto-injection disabled to avoid risking package.json format" -ForegroundColor Yellow |
Summary
Why
Documentation accuracy: the previous wording understated the functional impact of missing jq and mixed platform-specific behavior without clarity.