A critical security vulnerability has been identified in the OpenClaw version 3.28 release, potentially exposing users to malicious code. The threat stems from a supply chain attack targeting axios, one of the most widely utilized HTTP client libraries in the JavaScript ecosystem. Security experts are urging developers and cryptocurrency project maintainers to audit their dependencies immediately to mitigate the risk of data theft or unauthorized access.
SlowMist Founder Issues Urgent Security Warning
The alert was brought to public attention by Yu Xian, the founder of the blockchain security firm SlowMist. According to a statement posted on the X platform on March 31, 2026, the latest iteration of OpenClaw may have integrated a compromised version of axios. This incident follows reports that the npm core package axios version 1.14.1 was the subject of an active supply chain attack earlier today.
If users are using the latest version 3.28 of OpenClaw, it may introduce a poisoned version of axios, and users are advised to check immediately.
Indirect Dependencies and Wider Ecosystem Impact
The scope of the threat extends beyond the primary OpenClaw software. Yu Xian noted that related Skills—modular extensions or plugins—could also be indirectly affected if they rely on the tainted axios dependency. Because axios is a foundational tool for many decentralized applications (dApps) and trading bots, the potential for cross-contamination is high.
- Direct Impact: OpenClaw v3.28 users are at immediate risk.
- Indirect Impact: Third-party Skills and plugins utilizing axios version 1.14.1.
- Supply Chain Risk: Automated build processes may have pulled the malicious package during deployment.
Supply chain attacks occur when attackers inject malicious code into a trusted software component to compromise downstream users who rely on that component.
While the poisoning incident was discovered relatively quickly, the widespread adoption of the axios library necessitates a thorough audit of all Node.js environments and GitHub repositories associated with OpenClaw. Users are advised to verify their package-lock.json files and ensure they are not running the flagged version. Experts recommend rolling back to a known stable version of axios or waiting for an official patch from the OpenClaw development team.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.