Axios NPM Compromise Malicious C2 Domain DNS Query

Apr 1, 2026 · attack.command-and-control attack.t1071.001 attack.t1568 detection.emerging-threats ·

Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise Malicious C2 Domain DNS Query
 2id: 73e5d24f-493f-4092-bd2f-c72cabda40ee
 3status: experimental
 4description: |
 5    Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise.
 6    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
 7    This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.    
 8references:
 9    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
10    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
11    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
12    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
13    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
14    - https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2026-04-01
17tags:
18    - attack.command-and-control
19    - attack.t1071.001
20    - attack.t1568
21    - detection.emerging-threats
22logsource:
23    category: dns
24detection:
25    selection:
26        query:
27            - 'sfrclak.com'
28            - 'calltan.com'
29            - 'callnrwise.com'
30    condition: selection
31falsepositives:
32    - Unlikely
33level: high

Axios NPM Compromise Malicious C2 Domain DNS Query

Sigma rule (View on GitHub)

References

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

https://www.derp.ca/research/axios-npm-supply-chain-rat/

https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html

https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections

https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09

https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package

Related rules