Axios NPM Compromise Indicators - Windows

Rule Info

Name
Axios NPM Compromise Indicators - Windows
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Reference
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Date
2026-04-01 00:00:00
Modified
None
Id
f6c27ecc-d890-4452-80e6-2e274a10e097
Tags
attack.initial-access attack.t1195.002 attack.execution attack.command-and-control attack.defense-evasion attack.t1059.003 attack.t1059.005 attack.t1105 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f6c27ecc-d890-4452-80e6-2e274a10e097

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5928 from @swachchhanda000 - Add Axios NPM Compromise Indicators Related Rules
2026-04-01
71f1120dc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022