~w00p~
O RLY CYBER(nviso.eu) Supply Chain Attack via Compromised Axios npm Package: RAT Deployment Analysis and Hunting Guidance
Malicious Axios npm packages (1.14.1, 0..30.4) deployed cross-platform RAT via trojanized [email protected] dependency in a supply chain attack after maintainer account compromise.
In brief - Two Axios npm versions were compromised via a maintainer account breach, delivering a RAT through a malicious dependency. Immediate lockfile inspection, endpoint isolation, and credential rotation are critical for affected organizations.
Technically - The postinstall dropper (setup.js) executed via node.exe, identified the OS, and on Windows copied powershell.exe to C:\ProgramData\wt.exe. A VBS dropper (6202033.vbs) fetched a second-stage PowerShell script (6202033.ps1) from C2 hxxp[://]sfrclak[.]com:8000/6202033, establishing persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run ('MicrosoftUpdate'). KQL queries for MDE telemetry (DeviceNetworkEvents, DeviceProcessEvents) can detect exposure. IOCs include C2 domains sfrclak[.]com, callnrwise[.]com, calltan[.]com and IPs 142[.]11[.]206[.]73, 23[.]254[.]167[.]216.
Source: https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/
