Axios NPM Compromise File Creation Indicators - Linux

calendar Apr 1, 2026 · attack.initial-access attack.t1195.002 attack.command-and-control attack.t1105 detection.emerging-threats  ·
Share on: linkedin copy

Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise File Creation Indicators - Linux
 2id: b7cb840c-11f6-47f7-b3ef-5524739c9077
 3status: experimental
 4description: |
 5    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
 6    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.    
 7references:
 8    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
 9    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
10    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
11    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
12    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-04-01
15tags:
16    - attack.initial-access
17    - attack.t1195.002
18    - attack.command-and-control
19    - attack.t1105
20    - detection.emerging-threats
21logsource:
22    category: file_event
23    product: linux
24detection:
25    selection:
26        Image|endswith: '/curl'
27        TargetFilename: '/tmp/ld.py'
28    condition: selection
29falsepositives:
30    - Highly unlikely
31level: high

References

Related rules

to-top