Embedded Malicious Code with vendored remote access trojan
Multiple versions of the npm package @shadanai/openclaw contain vendored malicious code related to the axios supply chain attack of March 31, 2026. These versions were published with embedded malware that deploys a cross-platform remote access trojan. The package should be considered entirely malicious and removed from any system where it was installed.