Axios NPM Compromise File Creation Indicators - Windows

Rule Info

Name
Axios NPM Compromise File Creation Indicators - Windows
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Reference
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Date
2026-04-01 00:00:00
Modified
None
Id
cd6386fa-bb9a-4b67-b006-786b6ab5d2ba
Tags
attack.initial-access attack.t1195.002 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=cd6386fa-bb9a-4b67-b006-786b6ab5d2ba

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules
2026-04-01
71f1120dc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022