Intelligence Center

Key Takeaways

• Malicious versions of the popular Axios npm package (v1.14.1 and v0.30.4) were deployed in a supply chain attack.
• The compromised packages introduce a fake runtime dependency (plain-crypto-js) that executes automatically via a post-install script.
• The script profiles the OS and downloads platform-specific Remote Access Trojans (RATs) for Linux, MacOS, and Windows.
• Threat actors successfully exfiltrated credentials and established remote management capabilities on affected systems.
• Organizations must immediately roll back to safe versions (v1.14.0 or v0.30.3) and rotate any potentially compromised credentials.

Affected Systems

• Linux, MacOS, and Windows systems running Axios npm package versions v1.14.1 or v0.30.4

Attack Chain

The attack initiates when a user or build system installs a compromised version of the Axios npm package (v1.14.1 or v0.30.4). A fake runtime dependency named 'plain-crypto-js' is triggered via a post-install script without user interaction. This script profiles the operating system and contacts an actor-controlled C2 server (142.11.206.73) to download a platform-specific Remote Access Trojan (RAT). On Windows, it copies PowerShell to '%PROGRAM DATA%\wt.exe' and executes a downloaded .ps1 file; on MacOS, it runs a binary via zsh; and on Linux, it executes a Python backdoor, ultimately leading to credential exfiltration and remote access.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but lists actionable IOCs including file hashes, IP addresses, and domains for custom rule creation.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily detect the post-install script execution, the copying/renaming of powershell.exe to wt.exe, and the subsequent execution of a .ps1 file with bypass flags. Network Visibility: Medium — Network monitoring can detect the initial callout to the hardcoded C2 IP address and domain, though the traffic may blend with normal npm installation traffic if not inspected closely. Detection Difficulty: Moderate — While the initial supply chain vector is difficult to prevent, the post-exploitation behavior (renaming powershell, executing from %PROGRAM DATA%) is highly anomalous and relatively easy to detect.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• File Creation (Sysmon 11)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search for npm or node processes spawning shell interpreters (cmd, sh, zsh) that subsequently initiate external network connections to unknown IPs.	Process Creation, Network Connections	Execution	Medium
Look for the creation of an executable named 'wt.exe' in the '%PROGRAM DATA%' directory, especially if its hash matches 'powershell.exe'.	File Creation, Process Creation	Defense Evasion	Low
Monitor for 'wt.exe' executing with '-ExecutionPolicy Bypass' or '-WindowStyle Hidden' arguments.	Process Creation	Execution	Low

Control Gaps

• Lack of strict egress filtering for build environments
• Implicit trust in popular open-source packages without version pinning and integrity checking

Key Behavioral Indicators

• Node.js spawning zsh or python to download files
• powershell.exe copied to %PROGRAM DATA%\wt.exe
• Execution of plain-crypto-js post-install scripts

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Roll back Axios deployments to known safe versions (v1.14.0 or v0.30.3).
• Identify and isolate any systems that downloaded Axios v1.14.1 or v0.30.4.
• Rotate all credentials present on systems that installed the malicious packages.

Infrastructure Hardening

• Implement strict egress filtering on build servers and CI/CD pipelines to prevent unauthorized external connections.
• Use local package repositories or proxies to control and scan imported npm packages.

User Protection

• Deploy EDR solutions to monitor for anomalous process executions, such as renamed PowerShell binaries.
• Restrict execution policies for PowerShell on developer workstations.

Security Awareness

• Educate developers on the risks of supply chain attacks and the importance of verifying package integrity.
• Enforce policies for reviewing and approving new dependencies or version bumps in critical projects.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1059.006 - Command and Scripting Interpreter: Python
• T1036.003 - Masquerading: Rename System Utilities
• T1082 - System Information Discovery

Additional IOCs

• File Hashes:
  • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (SHA256) - Linux RAT payload.
  • ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c (SHA256) - 6202033.ps1 - Windows PowerShell payload.
• File Paths:
  • %PROGRAM DATA%\wt.exe - Location where the legitimate powershell.exe is copied and renamed by the Windows payload.
  • com.apple.act.mond - Malicious binary downloaded and executed on MacOS.
• Command Lines:
  • Purpose: Execute the downloaded PowerShell RAT payload with hidden window and execution policy bypass flags. | Tools: powershell.exe, wt.exe | Stage: Execution | wt.exe
• Other:
  • plain-crypto-js - Fake runtime dependency introduced in the malicious Axios packages.
  • v1.14.1 - Malicious version of the Axios npm package.
  • v0.30.4 - Malicious version of the Axios npm package.