Axios NPM Compromise Indicators - macOS

calendar Apr 1, 2026 · attack.initial-access attack.t1195.002 attack.execution attack.command-and-control attack.defense-evasion attack.t1059.002 attack.t1059.004 attack.t1105 detection.emerging-threats  ·
Share on: linkedin copy

Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise Indicators - macOS
 2id: a09ee860-31b3-4586-8a68-0ebd74ce0e5f
 3status: experimental
 4description: |
 5        Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
 6author: Swachchhanda Shrawan Poudel (Nextron Systems)
 7references:
 8    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
 9    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
10    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
11    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
12    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
13date: 2026-04-01
14tags:
15    - attack.initial-access
16    - attack.t1195.002
17    - attack.execution
18    - attack.command-and-control
19    - attack.defense-evasion
20    - attack.t1059.002
21    - attack.t1059.004
22    - attack.t1105
23    - detection.emerging-threats
24logsource:
25    category: process_creation
26    product: macos
27detection:
28    selection_osascript:
29        CommandLine|contains|all:
30            - 'nohup '
31            - 'osascript '
32            - '/tmp/6202033'
33    selection_curl_download:
34        CommandLine|contains|all:
35            - 'curl '
36            - 'packages.npm.org/product'
37            - '/Library/Caches/com.apple.act.mond'
38    selection_cleanup:
39        CommandLine|contains|all:
40            - 'rm '
41            - '-rf '
42            - '/tmp/6202033'
43    condition: 1 of selection_*
44falsepositives:
45    - Unlikely
46level: high

References

Related rules

to-top