Axios NPM Compromise File Creation Indicators - MacOS

Rule Info

Name
Axios NPM Compromise File Creation Indicators - MacOS
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
Reference
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Date
2026-04-01 00:00:00
Modified
None
Id
2db0458c-05c9-4069-a26f-77becd9c8c13
Tags
attack.initial-access attack.t1195.002 attack.command-and-control attack.t1105 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=2db0458c-05c9-4069-a26f-77becd9c8c13

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules
2026-04-01
71f1120dc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022