Supply Chain Attack on Axios Pulls Malicious Dependency from NPM

Ruslan Mikhalov Chief of Threat Research at SOC Prime

Supply Chain Attack on Axios Pulls Malicious Dependency from NPM

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A malicious npm package, plain-crypto-js@4.2.1, was published and later pulled in as a transitive dependency through compromised releases of the widely used JavaScript HTTP client Axios. The package uses a post-install script to deliver a multi-stage remote access trojan targeting Windows, macOS, and Linux. The attack appears to have relied on long-lived npm tokens, allowing threat actors to push malicious versions outside the project’s usual release workflow. Detecting the tampered dependency early can stop the RAT before execution on affected systems.

Investigation

Socket Research carried out static analysis of the setup.js dropper and deobfuscated encoded strings to expose the C2 domain, payload delivery logic, and targeted file system paths. The researchers identified three compromised Axios versions and two additional npm packages that contained the same malicious code. They also extracted network indicators, file paths, and user-agent strings that can be used for detection engineering and rule creation.

Mitigation

Organizations should revoke any long-lived npm tokens and rotate credentials for all potentially affected accounts. Compromised Axios versions and any packages that depend on plain-crypto-js@4.2.1 should be removed or downgraded immediately. Teams should also review lockfiles, CI/CD pipelines, and software supply-chain security controls to identify unauthorized publishing activity and reduce the chance of future package compromise.

Response

Security teams should monitor npm install logs for references to plain-crypto-js@4.2.1 and the affected Axios versions. Detection rules should be created for execution of the postinstall hook, network access to sfrclak.com, and the malicious user-agent string. If compromise is confirmed, affected systems should be quarantined, volatile memory collected for analysis, and the host reimaged if the RAT is found.

"graph TB %% Class definitions classDef technique fill:#c2e0ff classDef tool fill:#ffd9b3 classDef malware fill:#f5b7b1 classDef process fill:#d5f5e3 %% Technique nodes tech_t1195_002["Technique – T1195.002 Supply Chain Compromise: Compromise Software Supply Chain Description: Adversaries compromise software update or package distribution to deliver malicious code."] class tech_t1195_002 technique tech_t1127_003["Technique – T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus postu2011install hook Description: Malicious code is run via a postu2011install script inserted into a trusted developer utility."] class tech_t1127_003 technique tech_t1059_004["Technique – T1059.004 Command and Scripting Interpreter: Unix Shell Description: Use of Unix shell commands (curl, chmod, nohup) to download and launch payloads."] class tech_t1059_004 technique tech_t1059_001["Technique – T1059.001 Command and Scripting Interpreter: PowerShell Description: Execution of PowerShell commands to run a Windows based payload."] class tech_t1059_001 technique tech_t1059_005["Technique – T1059.005 Command and Scripting Interpreter: Visual Basic Description: Launch of a VBScript based payload."] class tech_t1059_005 technique tech_t1059_003["Technique – T1059.003 Command and Scripting Interpreter: Windows Command Shell Description: Execution of batch commands via cmd.exe."] class tech_t1059_003 technique tech_t1027_014["Technique – T1027.014 Obfuscated Files or Information: Polymorphic Code Description: Custom Base64 + XOR encoding used to hide malicious code."] class tech_t1027_014 technique tech_t1070_004["Technique – T1070.004 Indicator Removal on Host: File Deletion Description: Deleting setup.js and package.json to erase evidence."] class tech_t1070_004 technique tech_t1195_001["Technique – T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools Description: Injecting plainu2011cryptou2011js into the Axios dependency."] class tech_t1195_001 technique tech_t1127["Technique – T1127 Trusted Developer Utilities Proxy Execution (npm lifecycle hook) Description: Exploiting npm lifecycle hooks to execute malicious code during package install."] class tech_t1127 technique tech_t1082["Technique – T1082 System Information Discovery Description: Gathering OS version, hostname, current user and other system details."] class tech_t1082 technique tech_t1219["Technique – T1219 Remote Access Tools Description: Use of a macOS Machu2011O RAT for remote control."] class tech_t1219 technique tech_t1102_002["Technique – T1102.002 Web Service: Bidirectional Communication Description: HTTP POST requests to sfrclak.com for commandu2011andu2011control traffic."] class tech_t1102_002 technique tech_t1570["Technique – T1570 Lateral Tool Transfer Description: Downloading platformu2011specific binaries or scripts to the compromised host."] class tech_t1570 technique tech_t1036_005["Technique – T1036.005 Masquerading: Match Legitimate Resource Name or Location Description: Renaming package.md to package.json and using a legitimateu2011looking name wt.exe."] class tech_t1036_005 technique tech_t1036_003["Technique – T1036.003 Masquerading: Rename Legitimate Utilities Description: Renaming powershell.exe to wt.exe to blend in with normal utilities."] class tech_t1036_003 technique %% Process / tool nodes (optional illustrative nodes) process_curl["Process – curl command"] class process_curl process process_chmod["Process – chmod command"] class process_chmod process process_nohup["Process – nohup command"] class process_nohup process malware_rat["Malware – macOS Machu2011O RAT"] class malware_rat malware %% Connections showing attack flow tech_t1195_002 –>|leads_to| tech_t1127_003 tech_t1127_003 –>|uses| tech_t1059_004 tech_t1059_004 –>|executes| tech_t1059_001 tech_t1059_004 –>|executes| tech_t1059_005 tech_t1059_004 –>|executes| tech_t1059_003 tech_t1059_004 –>|employs| tech_t1027_014 tech_t1059_004 –>|leverages| tech_t1195_001 tech_t1059_004 –>|leverages| tech_t1127 tech_t1059_004 –>|collects| tech_t1082 tech_t1027_014 –>|enables| tech_t1070_004 tech_t1082 –>|enables| tech_t1219 tech_t1219 –>|communicates via| tech_t1102_002 tech_t1102_002 –>|facilitates| tech_t1570 tech_t1570 –>|results in| tech_t1036_005 tech_t1570 –>|results in| tech_t1036_003 %% Optional illustrative process links tech_t1059_004 –>|downloads| process_curl tech_t1059_004 –>|sets permissions| process_chmod tech_t1059_004 –>|runs background| process_nohup malware_rat –>|is the| tech_t1219 "

Supply Chain Attack on Axios Pulls Malicious Dependency from NPM

Summary

Investigation

Mitigation

Response

Attack Flow

Detections

Suspicious MacOS – Plist Locations and Names (via file_event)

Suspicious NodeJS Child Processes [Windows] (via cmdline)

Remote File Upload / Download via Standard Tools (via cmdline)

MacOS Suspicious Tmp Folder File Permissions Modification (via cmdline)

Suspicious CURL Usage (via cmdline)

Possible Execution by Use of chmod and nohup in Single Command (via cmdline)

Downloads to Suspicious Folders (via cmdline)

LOLBAS WScript / CScript (via process_creation)

The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)

Nohup Usage (via cmdline)

IOCs (SourceIP) to detect: Supply Chain Attack on Axios Pulls Malicious Dependency from npm

IOCs (DestinationIP) to detect: Supply Chain Attack on Axios Pulls Malicious Dependency from npm

IOCs (Emails) to detect: Supply Chain Attack on Axios Pulls Malicious Dependency from npm

PowerShell and VBScript Evasion Tactics in Supply Chain Attack [Windows Process Creation]

Detection of Malicious npm Package Postinstall Hook Execution [Linux Process Creation]

Detection of Malicious Python Script and Temporary File in Linux Supply Chain Attack [Linux File Event]

Renamed Windows Terminal and Self-Deleting VBScript Detected [Windows File Event]

PowerShell Script Execution with Hidden and Bypass Flags [Windows Powershell]

Simulation Execution