Detections for the Axios supply chain compromise

A supply chain attack targeting Axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency ([email protected]) that executed during installation. The attack deploys cross-platform payloads across Linux, Windows, and macOS through a consistent pattern: Node.js spawns OS-native shells to retrieve and execute remote payloads in detached or hidden contexts. Linux victims receive a Python-based RAT, Windows systems get a PowerShell backdoor with registry persistence, and macOS hosts are compromised with a Mach-O binary backdoor. All variants beacon to the same C2 infrastructure, performing host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. The malicious activity is reliably detected through behavioral signatures focusing on unusual Node.js process ancestry and remote payload retrieval rather than static indicators.

Pulse ID: 69d4e63921cbadb426b7cd2a
Pulse Link: https://otx.alienvault.com/pulse/69d4e63921cbadb426b7cd2a
Pulse Author: AlienVault
Created: 2026-04-07 11:10:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Linux #Mac #MacOS #NPM #Nodejs #OTX #OpenThreatExchange #PowerShell #Python #RAT #SupplyChain #Windows #bot #iOS #AlienVault