Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathighexperimental

Axios NPM Compromise Malicious C2 Domain DNS Query

Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Apr 0173e5d24f-493f-4092-bd2f-c72cabda40ee2026
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
dns
Categorydns← raw: dns
Detection Logic
Detection Logic1 selector
detection:
    selection:
        query:
            - 'sfrclak.com'
            - 'calltan.com'
            - 'callnrwise.com'
    condition: selection
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
stepsecurity.io
2
Resolving title…
derp.ca
3
Resolving title…
trendmicro.com
4
Resolving title…
elastic.co
5
Resolving title…
virustotal.com
6
Resolving title…
huntress.com
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
73e5d24f-493f-4092-bd2f-c72cabda40ee
Status
experimental
Level
high
Type
Emerging Threat
Created
Wed Apr 01
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/net_dns_axios_npm_compromise_indicator.yml
Raw Tags
attack.command-and-controlattack.t1071.001attack.t1568detection.emerging-threats
View on GitHub