Mitigating the Axios npm supply chain compromise

Key Takeaways

• Malicious Axios npm packages (1.14.1 and 0.30.4) were injected with a fake dependency (plain-crypto-js) to deploy OS-specific RATs.
• The attack is attributed to the North Korean state actor Sapphire Sleet, which typically targets the finance and cryptocurrency sectors.
• Malware executes silently during 'npm install' via a post-install hook in setup.js, requiring no user interaction.
• Payloads are tailored for macOS (native binary), Windows (PowerShell/VBScript), and Linux (Python script).
• Organizations must immediately downgrade Axios to safe versions (1.14.0 or 0.30.3), rotate exposed secrets, and disable dependency auto-updates.

Affected Systems

• Windows
• macOS
• Linux
• Systems running Axios npm package versions 1.14.1 or 0.30.4
• CI/CD pipelines and developer endpoints

Attack Chain

The attack begins when a developer or CI/CD pipeline installs compromised Axios versions (1.14.1 or 0.30.4). These versions contain a malicious dependency, plain-crypto-js, which uses a post-install hook to execute setup.js. This script identifies the host OS and contacts a C2 server to download a second-stage RAT. On macOS, it drops a native binary; on Windows, it drops a PowerShell script that establishes registry persistence and masquerades as wt.exe; on Linux, it executes a Python script. The malware then cleans up its initial installation artifacts to evade detection.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Microsoft Defender for Endpoint, Microsoft Defender for Cloud

Microsoft Defender provides built-in blocking detections for the malicious components and behaviors. The article also demonstrates using Microsoft Defender for Cloud's Cloud Security Explorer GUI to hunt for container images with the malicious 'axios' and 'plain-crypto-js' packages installed.

Detection Engineering Assessment

EDR Visibility: High — The attack drops multiple files to disk, modifies registry run keys, and spawns suspicious child processes from package managers (e.g., node.exe spawning cmd.exe or sh). Network Visibility: Medium — C2 traffic uses standard HTTP POST requests to port 8000, which can be detected if specific domain/IP or port anomalies are monitored, though the payload traffic itself is encoded. Detection Difficulty: Moderate — While the initial vector blends in with normal npm installs, the post-install behaviors (dropping scripts in temp/programdata, renaming powershell, adding run keys) are highly anomalous and easily detectable with standard EDR rules.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Modifications (Sysmon 12/13)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for node.exe or npm processes spawning shell interpreters (cmd.exe, sh, bash, zsh) that subsequently use curl or wget to download files from external sources.	Process Creation	Execution	Medium
Search for instances of powershell.exe being copied or renamed to unusual locations like %PROGRAMDATA%\wt.exe.	File Creation, Process Creation	Defense Evasion	Low
Monitor for registry modifications in HKCU\Software\Microsoft\Windows\CurrentVersion\Run where the value points to a script or executable in %PROGRAMDATA%.	Registry Modifications	Persistence	Low
Identify network connections to port 8000 originating from script interpreters (python, node, powershell) or native shells.	Network Connections	Command and Control	Medium

Control Gaps

• Lack of egress filtering on build servers and CI/CD pipelines
• Unrestricted auto-updates in package.json allowing minor/patch upgrades to pull malicious versions

Key Behavioral Indicators

• node.exe spawning sh or cmd.exe during package installation
• Creation of /Library/Caches/com.apple.act.mond on macOS
• Execution of cscript //nologo from the %TEMP% directory
• Python scripts running from /tmp/ld.py

False Positive Assessment

• Low. The specific IOCs (domains, IPs, hashes) and behaviors (renaming powershell to wt.exe, dropping specific files in /Library/Caches) are highly indicative of this specific Sapphire Sleet campaign.

Recommendations

Immediate Mitigation

• Downgrade Axios to safe versions (1.14.0 or 0.30.3 or earlier).
• Rotate all secrets and credentials that were exposed to compromised systems.
• Flush the local npm cache using 'npm cache clean --force'.
• Remove all Axios files/code from victim systems and re-install cleanly.

Infrastructure Hardening

• Disable auto-upgrade features in package.json by removing caret (^) or tilde (~) symbols.
• Use overrides to force pinned versions for transitive dependencies.
• Block outbound connections to sfrclak[.]com and 142.11.206[.]72/73 on port 8000.

User Protection

• Search developer machines for node_modules folders containing plain-crypto-js or malicious Axios versions.
• Use 'npm ci --ignore-scripts' to prevent post-install hooks from running, or set 'npm config set ignore-scripts true' by default.

Security Awareness

• Educate developers on the risks of automated dependency updates and the importance of pinning package versions.
• Adopt Trusted Publishing with OIDC to eliminate stored credentials.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.002 - Command and Scripting Interpreter: AppleScript
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1059.006 - Command and Scripting Interpreter: Python
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1036.003 - Masquerading: Rename System Utilities
• T1070.004 - Indicator Removal: File Deletion
• T1105 - Ingress Tool Transfer

Additional IOCs

• Ips:
  • 142[.]11[.]206[[.]]72 - Additional C2 IP address mentioned in the mitigation guidance.
• File Hashes:
  • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (SHA256) - Secondary hash for Windows PowerShell RAT payload.
  • f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd (SHA256) - Windows system.bat persistence artifact.
• Registry Keys:
  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate - Registry run key added by the Windows RAT for persistence.
• File Paths:
  • /Library/Caches/com.apple.act.mond - Durable artifact location for the macOS RAT.
  • %PROGRAMDATA%\system.bat - Windows persistence batch script.
  • %PROGRAMDATA%\wt.exe - Renamed PowerShell executable used by the Windows RAT to masquerade as a benign process.
  • %TEMP%\6202033.vbs - Temporary VBScript stager dropped on Windows.
  • /tmp/ld.py - Python payload dropped on Linux systems.
• Command Lines:
  • Purpose: Downloads and executes the macOS native binary RAT | Tools: sh, curl, chmod, zsh | Stage: Execution | sh -c 'curl -o /Library/Caches/com.apple.act.mond
  • Purpose: Executes the Windows VBScript stager silently | Tools: cscript | Stage: Execution | cscript //nologo
  • Purpose: Fetches the Windows PowerShell RAT payload via HTTP POST | Tools: cmd.exe, curl | Stage: Command and Control | cmd.exe /c curl -s -X POST
  • Purpose: Downloads and executes the Linux Python RAT in the background | Tools: sh, curl, nohup, python3 | Stage: Execution | nohup python3 /tmp/ld.py
• Other:
  • axios@1.14.1 - Compromised Axios npm package version.
  • axios@0.30.4 - Compromised Axios npm package version.