Campaigns
Attackers Hijacked the Axios npm Maintainer Account and Deployed a Self-Erasing RAT to Millions of Developers

Attackers Hijacked the Axios npm Maintainer Account and Deployed a Self-Erasing RAT to Millions of Developers

supply chain attacknpmaxiosmalware
The Axios npm campaign involves a critical supply chain attack on the widely used npm package, axios. The latest version, [email protected], includes a dependency on [email protected], which is a newly introduced package and part of the compromise. This attack is characterized by the introduction of a malicious package that acts as an obfuscated dropper/loader, capable of deobfuscating embedded payloads, dynamically loading system modules to evade detection, and executing shell commands. The malware stages and copies payload files into system directories and deletes artifacts post-execution to hinder forensic analysis

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTIONS

DET0720-Detection of Obfuscated Files or Information


ID

Name

Analytic ID

Analytic Description

DET0720

Detection of Obfuscated Files or Information

AN1851

Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

AN1852

Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.


DET0249-Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes


ID

Name

Analytic ID

Analytic Description

DET0249

Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes

AN0693

Remote/API driven creation and start of a container whose image is not on an allow‑list (or is tagged latest), executed by a non-admin principal, and/or started with risky runtime attributes (e.g., --privileged, host PID/NET namespaces, sensitive host path mounts, capability adds). Correlates create ➜ start ➜ first network/process actions from that container within a short time window.


DET0309 - Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly), Detection Strategy 

AN0862

Adversary ships a tampered application or update: an updater/installer (msiexec/setup/update.exe/vendor service) writes or replaces binaries; on first run it spawns scripts/shells or unsigned DLLs and beacons to non-approved update CDNs/hosts. Detection correlates: (1) process creation of installer/updater → (2) file metadata changes in program paths → (3) first-run children and module/signature anomalies → (4) outbound connections to unexpected hosts within a short window.

Log Sources

Data Component

Name

Channel

Process Creation (DC0032)

WinEventLog:Sysmon

EventCode=1

Driver Load (DC0079)

WinEventLog:Sysmon

EventCode=6

Module Load (DC0016)

WinEventLog:Sysmon

EventCode=7

File Creation (DC0039)

WinEventLog:Sysmon

EventCode=11

Windows Registry Key Modification (DC0063)

WinEventLog:Sysmon

EventCode=13, 14

Network Connection Creation (DC0082)

WinEventLog:Sysmon

EventCode=3, 22

File Metadata (DC0059)

WinEventLog:Microsoft-Windows-CodeIntegrity/Operational

Unsigned or invalid image for newly installed/updated binaries

Network Traffic Flow (DC0078)

NSM:Flow

First-time egress to non-approved update hosts right after install/update

Mutable Elements

Field

Description

TimeWindow

Correlate write→first-run→egress (default 90 minutes).

ApprovedUpdateHosts

Allow-list of vendor update endpoints, enterprise proxy/cache.

ApprovedSigners

Code-signing publishers allowed for programs/services.

ProgramPaths

Monitored install locations (e.g., C:\Program Files, C:\ProgramData, %LOCALAPPDATA%).

Observed Countries250

AD (939)
AE (905)
AF (428)
AG (334)
AI (457)
AL (914)
AM (743)
AO (415)
AQ (943)
AR (765)
AS (630)
AT (121)
AU (59)
AW (888)
AX (808)
AZ (692)
BA (659)
BB (940)
BD (166)
BE (934)
BF (462)
BG (812)
BH (731)
BI (545)
BJ (934)
BL (62)
BM (452)
BN (482)
BO (438)
BQ (726)
BR (573)
BS (167)
BT (980)
BV (964)
BW (929)
BY (491)
BZ (876)
CA (439)
CC (101)
CD (162)
CF (221)
CG (796)
CH (287)
CI (11)
CK (816)
CL (211)
CM (998)
CN (376)
CO (461)
CR (473)
CU (208)
CV (508)
CW (922)
CX (6)
CY (456)
CZ (944)
DE (647)
DJ (997)
DK (708)
DM (785)
DO (619)
DZ (191)
EC (495)
EE (97)
EG (366)
EH (524)
ER (332)
ES (214)
ET (835)
FI (11)
FJ (609)
FK (663)
FM (473)
FO (601)
FR (470)
GA (978)
GB (894)
GD (151)
GE (319)
GF (588)
GG (198)
GH (431)
GI (505)
GL (313)
GM (188)
GN (256)
GP (608)
GQ (727)
GR (720)
GS (642)
GT (12)
GU (255)
GW (830)
GY (253)
HK (811)
HM (670)
HN (404)
HR (213)
HT (646)
HU (18)
ID (267)
IE (24)
IL (227)
IM (946)
IN (56)
IO (731)
IQ (137)
IR (426)
IS (402)
IT (535)
JE (159)
JM (244)
JO (424)
JP (725)
KE (530)
KG (570)
KH (722)
KI (399)
KM (243)
KN (165)
KP (164)
KR (564)
KW (300)
KY (38)
KZ (302)
LA (694)
LB (805)
LC (622)
LI (375)
LK (636)
LR (715)
LS (788)
LT (625)
LU (669)
LV (885)
LY (393)
MA (155)
MC (831)
MD (39)
ME (205)
MF (137)
MG (554)
MH (704)
MK (983)
ML (994)
MM (671)
MN (990)
MO (401)
MP (817)
MQ (79)
MR (350)
MS (242)
MT (93)
MU (70)
MV (804)
MW (427)
MX (351)
MY (142)
MZ (12)
NA (650)
NC (444)
NE (498)
NF (421)
NG (969)
NI (904)
NL (514)
NO (483)
NP (213)
NR (428)
NU (712)
NZ (381)
OM (159)
PA (225)
PE (814)
PF (8)
PG (422)
PH (156)
PK (188)
PL (709)
PM (708)
PN (749)
PR (963)
PS (35)
PT (653)
PW (53)
PY (569)
QA (857)
RE (140)
RO (241)
RS (733)
RU (505)
RW (668)
SA (182)
SB (709)
SC (633)
SD (452)
SE (360)
SG (341)
SH (897)
SI (382)
SJ (571)
SK (490)
SL (244)
SM (366)
SN (954)
SO (531)
SR (909)
SS (58)
ST (327)
SV (429)
SX (504)
SY (626)
SZ (56)
TC (389)
TD (789)
TF (996)
TG (147)
TH (819)
TJ (123)
TK (616)
TL (560)
TM (52)
TN (280)
TO (927)
TR (737)
TT (344)
TV (276)
TW (383)
TZ (885)
UA (676)
UG (12)
UM (287)
US (339)
UY (507)
UZ (174)
VA (132)
VC (427)
VE (807)
VG (221)
VI (294)
VN (771)
VU (692)
WF (218)
WS (64)
XK (3)
YE (551)
YT (937)
ZA (384)
ZM (410)
ZW (560)