Axios NPM Compromise File Creation Indicators - MacOS

calendar Apr 1, 2026 · attack.initial-access attack.t1195.002 attack.command-and-control attack.t1105 detection.emerging-threats  ·
Share on: linkedin copy

Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise File Creation Indicators - MacOS
 2id: 2db0458c-05c9-4069-a26f-77becd9c8c13
 3status: experimental
 4description: |
 5    Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
 6    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.    
 7references:
 8    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
 9    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
10    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
11    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
12    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-04-01
15tags:
16    - attack.initial-access
17    - attack.t1195.002
18    - attack.command-and-control
19    - attack.t1105
20    - detection.emerging-threats
21logsource:
22    category: file_event
23    product: macos
24detection:
25    selection_curl_download:
26        Image|endswith: '/curl'
27        TargetFilename: '/Library/Caches/com.apple.act.mond'
28    selection_node_shell:
29        Image|endswith: '/node'
30        TargetFilename: '/tmp/6202033'
31    condition: 1 of selection_*
32falsepositives:
33    - Highly unlikely
34level: high

References

Related rules

to-top