Skip to content
.ca
sign in
6 mincritical

Inside the Axios supply chain compromise - one RAT to rule them all

A compromised maintainer account for the widely used axios npm package published backdoored versions that deliver a cross-platform Remote Access Trojan (RAT). The malicious payload, triggered via a postinstall hook in a decoy dependency, deploys identical C2 frameworks across Windows, macOS, and Linux systems while employing anti-forensic techniques to hide its tracks.

Sens:ImmediateConf:highAnalyzed:2026-03-31reports

Authors: Elastic Security Labs

ActorsUNC1069WAVESHAPER
AxiosnpmSupply ChainUNC1069Cross-Platform RAT

Source:Elastic Security Labs

IOCs · 5

Key Takeaways

  • A compromised npm maintainer account published backdoored versions of the widely used axios package (1.14.1 and 0.30.4).
  • The malicious payload is delivered via a postinstall hook in a decoy dependency named plain-crypto-js.
  • Stage-2 payloads deploy identical RAT implementations across Windows, macOS, and Linux, sharing the same C2 protocol.
  • The RAT uses a hardcoded, spoofed Internet Explorer 8 User-Agent, which is highly anomalous on modern systems (especially macOS/Linux).
  • The dropper performs anti-forensics by deleting itself and swapping its package.json with a clean copy to hide the postinstall trigger.

Affected Systems

  • macOS
  • Windows
  • Linux
  • Node.js/npm environments

Attack Chain

The attacker compromised an npm maintainer account to publish malicious versions of the axios package. These versions included a new dependency, plain-crypto-js, which used a postinstall hook to execute an obfuscated JavaScript dropper. The dropper downloaded and executed platform-specific stage-2 payloads (PowerShell, C++, or Python) from a remote C2 server. Finally, the dropper deleted itself and replaced its package manifest to hide evidence, while the stage-2 RAT established persistent C2 communication using a spoofed Internet Explorer 8 User-Agent.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Elastic Security Labs

Elastic Security Labs released initial triage and detection rules for the Axios supply-chain compromise, which are linked in the preamble of the article.

Detection Engineering Assessment

EDR Visibility: High — EDR can easily spot the anomalous process ancestry (npm/node spawning osascript, powershell, or python) and the reflective .NET loading or binary drops to /tmp and %TEMP%. Network Visibility: High — The hardcoded IE8 User-Agent is highly anomalous, especially on macOS and Linux, and the C2 traffic uses port 8000. Detection Difficulty: Moderate — While the initial dropper cleans up after itself, the stage-2 execution involves noisy behaviors like node.js spawning shells and a highly distinctive network User-Agent.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • Network Connections (Sysmon 3)
  • File Creation (Sysmon 11)
  • PowerShell Script Block Logging (Event ID 4104)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for node.js or npm processes spawning unexpected child processes like osascript, powershell.exe, or python3, indicating potential postinstall hook abuse.Process CreationExecutionMedium
Search for HTTP outbound traffic utilizing the specific IE8 User-Agent 'mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)', particularly originating from macOS or Linux endpoints.Network TrafficCommand and ControlLow
Identify PowerShell execution bypassing execution policies (-ep Bypass) originating from unusual directories like %TEMP% or involving renamed executables like wt.exe in %PROGRAMDATA%.Process CreationExecutionLow

Control Gaps

  • Lack of SLSA provenance validation on npm package installation
  • Inadequate egress filtering allowing outbound connections on port 8000

Key Behavioral Indicators

  • Node.js spawning osascript/powershell/python
  • Renamed PowerShell executable (wt.exe) in %PROGRAMDATA%
  • Hardcoded IE8 User-Agent on non-Windows systems
  • Creation of hidden files in /tmp/ on Linux

False Positive Assessment

  • Low - The specific combination of the spoofed IE8 User-Agent, the malicious npm package versions, and the C2 infrastructure are highly specific to this campaign.

Recommendations

Immediate Mitigation

  • Audit npm dependencies for axios versions 1.14.1 and 0.30.4, and plain-crypto-js version 4.2.1.
  • Downgrade axios to known safe versions (1.14.0 or 0.30.3).
  • Block network traffic to sfrclak[.]com and 142.11.206[.]73.

Infrastructure Hardening

  • Implement egress filtering to restrict outbound traffic on non-standard ports like 8000.
  • Enforce SLSA provenance checks for CI/CD pipelines to prevent the ingestion of unverified package versions.

User Protection

  • Deploy EDR rules to monitor for node.js processes spawning suspicious shells (PowerShell, osascript, python).

Security Awareness

  • Educate developers on the risks of npm postinstall hooks and the importance of verifying package provenance.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.002 - Command and Scripting Interpreter: AppleScript
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1059.006 - Command and Scripting Interpreter: Python
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
  • T1027 - Obfuscated Files or Information
  • T1036 - Masquerading
  • T1564.001 - Hidden Files and Directories
  • T1055 - Process Injection
  • T1070.004 - Indicator Removal: File Deletion
  • T1082 - System Information Discovery
  • T1057 - Process Discovery
  • T1083 - File and Directory Discovery
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1571 - Non-Standard Port
  • T1132.001 - Data Encoding: Standard Encoding
  • T1105 - Ingress Tool Transfer

Additional IOCs

  • Ips:
    • 142[.]11[.]206[[.]]73 - C2 IP address
  • Domains:
    • sfrclak[[.]]com - C2 domain
  • Urls:
    • hxxp://sfrclak[[.]]com:8000/6202033 - Stage-2 payload delivery URL
  • File Hashes:
    • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (sha256) - Windows payload
    • 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a (sha256) - MacOS payload
    • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (sha256) - Linux payload
  • File Paths:
    • /Library/Caches/com.apple.act.mond - macOS stage-2 payload location
    • %TEMP%\6202033.ps1 - Windows transient stage-2 payload location
    • %PROGRAMDATA%\wt.exe - Renamed PowerShell executable used in Windows execution
    • /tmp/ld.py - Linux stage-2 payload location
    • node_modules/plain-crypto-js/package.json - Target of anti-forensics package manifest swap
  • Command Lines:
    • Purpose: Execute postinstall hook | Tools: node | Stage: Execution | node setup.js
    • Purpose: Execute Windows payload | Tools: PowerShell | Stage: Execution | powershell -NoProfile -ep Bypass
    • Purpose: Execute macOS payload | Tools: osascript | Stage: Execution | /usr/bin/osascript
  • Other:
    • ifstap@proton[.]me - Compromised maintainer email used to publish malicious axios versions
    • nrwise@proton.me - Email used to publish the malicious plain-crypto-js dependency
    • axios@1.14.1 - Malicious npm package version (tagged latest)
    • axios@0.30.4 - Malicious npm package version (tagged legacy)
    • plain-crypto-js@4.2.1 - Malicious payload delivery vehicle dependency

Related