Embedded Malicious Code with vendored remote access trojan
Version 0.0.130 of the npm package @qqbrowser/openclaw-qbot contains vendored malicious code related to the axios supply chain attack of March 31, 2026. This version was published with embedded malware that deploys a cross-platform remote access trojan. The package should be considered entirely malicious and removed from any system where it was installed.