Axios NPM Compromise Indicators - macOS

Rule Info

Name
Axios NPM Compromise Indicators - macOS
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
Reference
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Date
2026-04-01 00:00:00
Modified
None
Id
a09ee860-31b3-4586-8a68-0ebd74ce0e5f
Tags
attack.initial-access attack.t1195.002 attack.execution attack.command-and-control attack.defense-evasion attack.t1059.002 attack.t1059.004 attack.t1105 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a09ee860-31b3-4586-8a68-0ebd74ce0e5f

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules
2026-04-01
71f1120dc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022