An AI-powered, cross-platform PowerShell forensic scanner for detecting evidence of the March 31, 2026 Axios NPM supply chain attack, which distributed a malicious plain-crypto-js dependency via compromised versions of the axios package (v1.14.1 and v0.30.4). RatCatcher runs ten checks covering the full compromise kill chain, produces detailed reports, and automatically evaluates every finding using Gemma 4 AI to distinguish real threats from false positives.
Supported Platforms: Windows, macOS, and Linux.
You can read more about the attack here: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
- Cross-Platform Support - RatCatcher now runs on Windows, macOS, and Linux. The scanner auto-detects the platform and uses OS-specific checks for dropped payloads, persistence mechanisms, network evidence, and credential locations. Requires PowerShell 7.0+.
- Automatic AI Evaluation - Every scan is automatically analysed by Gemma 4 AI. No manual steps needed - by the time you open the dashboard, the AI has already determined what is a real threat and what is a false positive.
- Manager Certification - When AI confirms a compromise, a manager must review the findings and certify with their name before the case is closed. Creates an audit trail.
- Override AI Verdict - If AI incorrectly flags a submission as compromised, managers can mark it as a false positive from the Technical Report with a reason and their name for audit.
- AI Verdicts in Reports - Technical Reports show AI assessments inline on each finding with colour-coded verdicts and reasoning.
- Updated Threat Intelligence - AI uses the latest IOCs from Elastic Security Labs, Unit42, Microsoft, and Google Threat Intelligence, including the confirmed North Korean state actor attribution.
- Remediation Tracking - Machines that were previously compromised but scanned clean are flagged as Remediated. Click any hostname to see full scan history.
- Simplified Dashboard - Six filter cards: Total, Clean, Reviewed, Positive Findings, Unreviewed, and Remediated. Every submission is accounted for.
- Faster Scans - Scanner skips non-development directories (media, drivers, VMs) to reduce scan time and false positives.
- Status Legend - Built-in legend explaining every dashboard status badge and manager certification flow.
Note: The original Copilot Agent workflow still works exactly as before. AI is an addition, not a replacement. You can use AI only, Copilot only, or both.
NOTE: It is recommended that you stop and save all work before running. This scan can take a very long time.
- PowerShell 7.0+ (required for cross-platform support)
- No additional modules required
Installing PowerShell 7:
| Platform | Command |
|---|---|
| Windows | winget install Microsoft.PowerShell |
| macOS | brew install powershell |
| CentOS/RHEL | sudo dnf install powershell (after adding Microsoft repo) |
| Ubuntu/Debian | sudo apt install powershell (after adding Microsoft repo) |
git clone https://github.com/mbfromit/RatCatcher.git
cd RatCatcher- Go to the repository on GitHub
- Click Code → Download ZIP
- Extract the ZIP to a folder of your choice (e.g.
C:\Tools\RatCatcher) - Open PowerShell and
cdinto that folder
If you haven't run unsigned PowerShell scripts before on Windows, you may need to adjust the execution policy for your session:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassImportant: This only changes the policy for the current PowerShell window. After the scan completes, close the PowerShell window or restore the default policy by running:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RestrictedLeaving the execution policy on Bypass allows any script to run without warning, which is a security risk.
On macOS and Linux, execution policy is not required. Simply run with pwsh.
# Windows
.\Invoke-RatCatcher.ps1
# macOS / Linux
pwsh ./Invoke-RatCatcher.ps1The script auto-detects the platform and displays which folders will be scanned.
# Windows
.\Invoke-RatCatcher.ps1 -Path C:\Dev
# macOS
pwsh ./Invoke-RatCatcher.ps1 -Path ~/Projects
# Linux
pwsh ./Invoke-RatCatcher.ps1 -Path /home/user.\Invoke-RatCatcher.ps1 -Path C:\Dev, C:\Projects, C:\Users\you\source.\Invoke-RatCatcher.ps1 -OutputPath C:\IR\ReportsBefore the scan begins, you will be prompted to enter a submission password. This password is required — the scan will not run without it. Contact your manager or the DevOps team to obtain the password.
Reports are always saved locally to C:\Logs on Windows or /tmp on macOS/Linux (or -OutputPath).
| PowerShell Version | Check 2 (lockfile analysis) |
|---|---|
| 5.1 | Sequential — can take 30–60 min on large machines |
| 7+ | Parallel (4 threads by default) — typically under 2 min |
To install PowerShell 7 side-by-side with your existing PS5.1:
winget install Microsoft.PowerShellThen run the scanner with pwsh instead of powershell:
pwsh .\Invoke-RatCatcher.ps1You can also adjust the thread count:
pwsh .\Invoke-RatCatcher.ps1 -Threads 8Recursively walks every folder in the scan path looking for package.json files, skipping node_modules subdirectories to avoid false positives. This builds the complete list of Node.js projects on the machine that will be examined in checks 2 and 3.
For every project found in check 1, the scanner examines whichever lockfile is present (package-lock.json, yarn.lock, or pnpm-lock.yaml) and looks for two specific indicators:
- Vulnerable axios versions —
1.14.1or0.30.4(the two compromised releases published by the attacker) - Malicious plain-crypto-js — version
4.2.1(the RAT-dropping dependency injected via the compromised axios releases)
A hit here means the project referenced a malicious package at install time. It does not confirm the package was actually installed — check 3 verifies physical presence.
Examines the node_modules directory of each project for physical evidence of compromise:
- Malicious package presence — checks whether
node_modules/plain-crypto-jsactually exists on disk - Known-bad file hash — if
plain-crypto-js/setup.jsis present, computes its SHA-256 and compares it against the known malicious hash (e10b1fa8...). A hash mismatch is flagged as High severity (possible variant), a match is Critical - C2 indicators in source files — scans
.jsfiles across the project (including insideplain-crypto-js) for hardcoded references to the attacker's C2 domainsfrclak.comor IP142.11.206.73
Inspects two locations that persist evidence even after npm uninstall:
- npm content-addressable cache (
~/.npm/_cacache/index-v5) — searches cache index entries for references toplain-crypto-js-4.2.1.tgz,axios-1.14.1.tgz, oraxios-0.30.4.tgz. A hit means the malicious tarball was downloaded and cached, even if the project has since been cleaned up. Remediation:npm cache clean --force - Global npm install — checks whether
axiosorplain-crypto-jsis installed globally (npm root -g) and flags any installation at a vulnerable version as Critical
The malicious plain-crypto-js setup script drops a platform-specific RAT to disk during npm install. This check scans temp and cache directories for files created after the attack window start (2026-03-31 00:21 UTC) that match dropper behavior:
| Platform | Scan Paths | Binary Detection | Known RAT Artifact |
|---|---|---|---|
| Windows | %TEMP%, %APPDATA% |
PE/MZ header (0x4D 0x5A) | %PROGRAMDATA%\wt.exe |
| macOS | /tmp, ~/Library/Caches |
Mach-O header (0xCF 0xFA) | /Library/Caches/com.apple.act.mond |
| Linux | /tmp, /var/tmp, ~/.cache |
ELF header (0x7F 0x45) | /tmp/ld.py |
If the RAT was executed, it will have attempted to establish persistence. This check examines platform-specific persistence locations for artifacts created after the attack window:
| Platform | Locations Checked |
|---|---|
| Windows | Scheduled Tasks, Registry Run keys (HKCU/HKLM), Startup folders |
| macOS | LaunchAgents (~/Library/LaunchAgents), LaunchDaemons (/Library/LaunchDaemons), crontab |
| Linux | Systemd services (~/.config/systemd/user, /etc/systemd/system), crontab, /etc/cron.d, ~/.config/autostart |
- Scheduled Tasks — enumerates all non-Microsoft, non-disabled tasks. Flags tasks that were registered after the attack window, or that invoke living-off-the-land binaries (
powershell,wscript,cscript,mshta,rundll32,regsvr32) from temp/appdata paths, or that use hidden window arguments (-WindowStyle Hidden,-NonInteractive) - Registry Run Keys — inspects
HKCU\...\Run,HKLM\...\Run,HKCU\...\RunOnce, andHKLM\...\RunOncefor entries that reference node, npm, or script files (.ps1,.vbs,.bat,.cmd,.js) - Startup Folders — checks the user and all-users startup folders for any files added after the attack window
The RAT is known to store its C2 configuration XOR-encoded to evade simple string searches. This check reads files from temp and appdata locations, decodes them using the attacker's known XOR scheme (key: OrDeR_7077, constant: 333), and searches the decoded output for the C2 domain sfrclak.com and IP 142.11.206.73. Scanned file types include .exe, .dll, .bin, .dat, .ps1, .js, .vbs, .bat, .tmp, and .log.
Looks for signs that the RAT has already communicated with the attacker's infrastructure:
- Active TCP connections — queries live network connections for any session currently open to
142.11.206.73or port8000(the known C2 beacon port). If found, identifies the owning process by PID. An active connection means the RAT is running right now - DNS cache — runs
ipconfig /displaydnsand searches the output forsfrclak.com. A cache hit means the machine resolved the attacker's domain at some point since the last DNS flush, indicating a connection attempt was made - Windows Firewall log — if the firewall log is enabled (
C:\Windows\System32\LogFiles\Firewall\pfirewall.log), searches it for any historical traffic to142.11.206.73and includes sample log lines as evidence
Produces two output files in the report directory:
- Technical forensic report — full detail on every finding across all ten checks, including file paths, hashes, timestamps, severity ratings, and remediation commands
- Executive briefing — a concise summary suitable for management or incident response teams, covering scope, confirmed findings, and recommended actions
Both files are named with the hostname and timestamp for easy identification.
Submits the scan results (verdict, finding counts, and report files) to the RatCatcher dashboard using the submission password entered at the start of the scan. Reports are always saved locally regardless of whether submission succeeds.
| Code | Meaning |
|---|---|
0 |
No compromise evidence found across all 10 checks |
1 |
One or more Critical or lockfile findings detected — review reports immediately |
| Indicator | Type | Description |
|---|---|---|
axios v1.14.1 |
npm package | Compromised release |
axios v0.30.4 |
npm package | Compromised release |
plain-crypto-js v4.2.0 |
npm package | Staging package (precursor) |
plain-crypto-js v4.2.1 |
npm package | Malicious RAT-dropping dependency |
@shadanai/openclaw |
npm package | Distributes same plain-crypto-js malware |
@qqbrowser/openclaw-qbot |
npm package | Distributes same plain-crypto-js malware |
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 |
SHA-256 | Known malicious setup.js |
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 |
SHA-256 | Windows PowerShell RAT payload |
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a |
SHA-256 | macOS C++ binary payload |
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf |
SHA-256 | Linux Python RAT payload |
sfrclak.com |
Domain | Primary C2 domain |
callnrwise.com |
Domain | Secondary C2 domain |
142.11.206.73 |
IP address | C2 server |
142.11.206.73:8000 |
IP:Port | RAT beacon endpoint |
mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) |
User-Agent | Spoofed UA used by all RAT variants |
%TEMP%\6202033.ps1 |
File path | Windows RAT payload temp location |
%PROGRAMDATA%\wt.exe |
File path | Renamed PowerShell binary |
%PROGRAMDATA%\system.bat |
File path | Windows persistence batch file |
Attribution: UNC1069 / Sapphire Sleet (North Korean state actor) - confirmed by Google Threat Intelligence and Microsoft.