Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_cscript:
ParentImage|endswith:
- '\node.exe'
- '\bun.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'cscript'
- 'AppData\Local\Temp'
- '//nologo && del'
- '6202033.vbs'
selection_curl:
Image|endswith:
- '\curl.exe'
- '\powershell.exe'
CommandLine|contains: 'http://sfrclak.com'
selection_susp_cli:
OriginalFileName: 'PowerShell.EXE'
CommandLine|contains: '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'
condition: 1 of selection_*Highly unlikely
Tactics
Techniques
Sub-techniques
Other