https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/ Recent content in Axios-NPM-Compromise on Detection.FYI Hugo -- gohugo.io Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/file_event_lnx_axios_npm_compromise_indicators/ Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/file_event_lnx_axios_npm_compromise_indicators/ Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/file_event_macos_axios_npm_compromise_indicators/ Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/file_event_macos_axios_npm_compromise_indicators/ Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/file_event_win_axios_npm_compromise_indicators/ Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/file_event_win_axios_npm_compromise_indicators/ Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/proc_creation_lnx_axios_npm_compromise_indicators/ Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/proc_creation_lnx_axios_npm_compromise_indicators/ Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/proc_creation_macos_axios_npm_compromise_indicators/ Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/proc_creation_macos_axios_npm_compromise_indicators/ Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/proc_creation_win_axios_npm_compromise_indicators/ Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/proc_creation_win_axios_npm_compromise_indicators/ Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/net_dns_axios_npm_compromise_indicator/ Wed, 01 Apr 2026 10:31:31 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/axios-npm-compromise/net_dns_axios_npm_compromise_indicator/ Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.