
Attackers Hijacked the Axios npm Maintainer Account and Deployed a Self-Erasing RAT to Millions of Developers
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTIONS
DET0720-Detection of Obfuscated Files or Information
ID | Name | Analytic ID | Analytic Description |
Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code. | |||
Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code. |
DET0249-Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes
ID | Name | Analytic ID | Analytic Description |
DET0249 | Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes | AN0693 | Remote/API driven creation and start of a container whose image is not on an allow‑list (or is tagged latest), executed by a non-admin principal, and/or started with risky runtime attributes (e.g., --privileged, host PID/NET namespaces, sensitive host path mounts, capability adds). Correlates create ➜ start ➜ first network/process actions from that container within a short time window. |
DET0309 - Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly), Detection Strategy
AN0862
Adversary ships a tampered application or update: an updater/installer (msiexec/setup/update.exe/vendor service) writes or replaces binaries; on first run it spawns scripts/shells or unsigned DLLs and beacons to non-approved update CDNs/hosts. Detection correlates: (1) process creation of installer/updater → (2) file metadata changes in program paths → (3) first-run children and module/signature anomalies → (4) outbound connections to unexpected hosts within a short window.
Log Sources
Data Component | Name | Channel |
WinEventLog:Sysmon | EventCode=1 | |
WinEventLog:Sysmon | EventCode=6 | |
WinEventLog:Sysmon | EventCode=7 | |
WinEventLog:Sysmon | EventCode=11 | |
WinEventLog:Sysmon | EventCode=13, 14 | |
WinEventLog:Sysmon | EventCode=3, 22 | |
WinEventLog:Microsoft-Windows-CodeIntegrity/Operational | Unsigned or invalid image for newly installed/updated binaries | |
NSM:Flow | First-time egress to non-approved update hosts right after install/update |
Mutable Elements
Field | Description |
TimeWindow | Correlate write→first-run→egress (default 90 minutes). |
ApprovedUpdateHosts | Allow-list of vendor update endpoints, enterprise proxy/cache. |
ApprovedSigners | Code-signing publishers allowed for programs/services. |
ProgramPaths | Monitored install locations (e.g., C:\Program Files, C:\ProgramData, %LOCALAPPDATA%). |