Emerging Threathighexperimental
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Apr 012db0458c-05c9-4069-a26f-77becd9c8c132026
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
macOSFile Event
ProductmacOS← raw: macos
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection_curl_download:
Image|endswith: '/curl'
TargetFilename: '/Library/Caches/com.apple.act.mond'
selection_node_shell:
Image|endswith: '/node'
TargetFilename: '/tmp/6202033'
condition: 1 of selection_*False Positives
Highly unlikely
MITRE ATT&CK
Techniques
Sub-techniques
Other
detection.emerging-threats
Rule Metadata
Rule ID
2db0458c-05c9-4069-a26f-77becd9c8c13
Status
experimental
Level
high
Type
Emerging Threat
Created
Wed Apr 01
Path
rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/file_event_macos_axios_npm_compromise_indicators.yml
Raw Tags
attack.initial-accessattack.t1195.002attack.command-and-controlattack.t1105detection.emerging-threats