AGS-2026-0002

Affected

• namePattern

  axios

  versionRange

  1.14.1 0.30.4

• namePattern

  wt.exe

• namePattern

  ld.py

• namePattern

  com.apple.act.mond

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

Remediation: uninstall— 1. Check Axios Version # Check installed npm packages npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4" # Check the project's lockfile grep -A1 '"axios"' package-lock.json | grep -E "1\.14\.1|0\.30\.4" 2. Check for Malicious Dependency # Verify if the malicious package exists in node_modules ls node_modules/plain-crypto-js 2>/dev/null && echo "⚠️ POTENTIALLY AFFECTED" 3. Check for System-Level Persistence Indicators # macOS ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "🚨 COMPROMISED" # Linux ls -la /tmp/ld.py 2>/dev/null && echo "🚨 COMPROMISED" # Windows (Execute via cmd.exe) dir "%PROGRAMDATA%\wt.exe" 2>nul && echo "🚨 COMPROMISED" 4. If the affected area is detected, then Clear npx Cache（Unaffected, no need to implement） (Prevent secondary infection from MCP/CLI tools) # macOS / Linux rm -rf ~/.npm/_npx # Windows rmdir /s /q %LOCALAPPDATA%\npm-cache\_npx 5. Full Dependency Audit # Audit production dependencies only npm audit --production # Scan the entire dependency tree for the malicious package npm ls --depth=Infinity | grep plain-crypto-js 6. Lock Axios to a Safe Version // Example: package.json { "dependencies": { "axios": "1.14.0" } }

References

• https://x.com/GoPlusZH/status/2038846213722939851