Axios NPM Compromise Indicators - Windows

calendar Apr 1, 2026 · attack.initial-access attack.t1195.002 attack.execution attack.command-and-control attack.defense-evasion attack.t1059.003 attack.t1059.005 attack.t1105 detection.emerging-threats  ·
Share on: linkedin copy

Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise Indicators - Windows
 2id: f6c27ecc-d890-4452-80e6-2e274a10e097
 3status: experimental
 4description: |
 5    Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
 6    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
 7    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
 8    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.    
 9references:
10    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
11    - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html?m=1
12    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
13    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
14    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2026-04-01
17tags:
18    - attack.initial-access
19    - attack.t1195.002
20    - attack.execution
21    - attack.command-and-control
22    - attack.defense-evasion
23    - attack.t1059.003
24    - attack.t1059.005
25    - attack.t1105
26    - detection.emerging-threats
27logsource:
28    category: process_creation
29    product: windows
30detection:
31    selection_cscript:
32        ParentImage|endswith:
33            - '\node.exe'
34            - '\bun.exe'
35        Image|endswith: '\cmd.exe'
36        CommandLine|contains|all:
37            - 'cscript'
38            - 'AppData\Local\Temp'
39            - '//nologo && del'
40            - '6202033.vbs'
41    selection_curl:
42        Image|endswith:
43            - '\curl.exe'
44            - '\powershell.exe'
45        CommandLine|contains: 'http://sfrclak.com'
46    selection_susp_cli:
47        OriginalFileName: 'PowerShell.EXE'
48        CommandLine|contains: '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'
49    condition: 1 of selection_*
50falsepositives:
51    - Highly unlikely
52level: high

References

Related rules

to-top