Axios NPM Compromise Malicious C2 Domain DNS Query

Rule Info

Name
Axios NPM Compromise Malicious C2 Domain DNS Query
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Reference
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Date
2026-04-01 00:00:00
Modified
None
Id
73e5d24f-493f-4092-bd2f-c72cabda40ee
Tags
attack.command-and-control attack.t1071.001 attack.t1568 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=73e5d24f-493f-4092-bd2f-c72cabda40ee

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules
2026-04-01
71f1120dc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022