Axios NPM Compromise File Creation Indicators - Windows

calendar Apr 1, 2026 · attack.initial-access attack.t1195.002 detection.emerging-threats  ·
Share on: linkedin copy

Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise File Creation Indicators - Windows
 2id: cd6386fa-bb9a-4b67-b006-786b6ab5d2ba
 3status: experimental
 4description: |
 5    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
 6    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
 7    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
 8    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.    
 9references:
10    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
11    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
12    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
13    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
14    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2026-04-01
17tags:
18    - attack.initial-access
19    - attack.t1195.002
20    - detection.emerging-threats
21logsource:
22    category: file_event
23    product: windows
24detection:
25    selection_img:
26        Image|endswith:
27            - '\node.exe'
28            - '\powershell.exe'
29    selection_fils:
30        - TargetFilename:
31              - 'C:\ProgramData\wt.exe'
32              - 'C:\ProgramData\system.bat'
33        - TargetFilename|contains|all:
34              - 'C:\Users\'
35              - '\AppData\Local\Temp\6202033.vbs'
36        - TargetFilename|contains|all:
37              - 'C:\Users\'
38              - '\AppData\Local\Temp\6202033.ps1'
39    condition: all of selection_*
40falsepositives:
41    - Highly unlikely
42level: high

References

Related rules

to-top