Axios NPM Compromise Indicators - Windows

    Monday, April 13, 2026 In: Threat Research Print

    Date: 04/13/2026

    Severity: High

    Summary

    Detects the Windows execution chain and process tree tied to the Axios NPM supply chain attack. On March 30, 2026, malicious versions (1.14.1 and 0.30.4) were published to npm. These versions injected a dependency (plain-crypto-js@4.2.1) that ran a postinstall RAT dropper. The dropper contacted a C2 server, delivered payloads, deleted itself, and altered package.json to evade detection. The attack leveraged cscript.exe (VBScript), curl.exe (C2 communication), and PowerShell disguised as Windows Terminal.

    Indicators of Compromise (IOC) List

    Image :

    - '\cmd.exe'

    - '\curl.exe'

    - '\powershell.exe'

    ParentImage : 

    - '\node.exe'

    - '\bun.exe'

    CommandLine : 

    - 'cscript'

    - 'AppData\Local\Temp'

    - '//nologo && del'

    - '6202033.vbs'

    - 'http://sfrclak.com'

    - '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'

    OriginalFileName : 

    - 'PowerShell.EXE'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" and eventtype = "4688" and processname like "\cmd.exe" and (parentprocessname like "\node.exe" or parentprocessname like "\bun.exe") and (commandline like "cscript" and commandline like "AppData\Local\Temp" and commandline like "//nologo && del" and commandline like "6202033.vbs")

    Detection Query 2 :

    technologygroup = "EDR" and processname like "\cmd.exe" and (parentprocessname like "\node.exe" or parentprocessname like "\bun.exe") and (commandline like "cscript" and commandline like "AppData\Local\Temp" and commandline like "//nologo && del" and commandline like "6202033.vbs")

    Detection Query 3 :

    resourcename = "Windows Security" and eventtype = "4688" and (processname like "\curl.exe" or processname like "\powershell.exe") and commandline like "http://sfrclak.com"

    Detection Query 4 :

    technologygroup = "EDR" and (processname like "\curl.exe" or processname like "\powershell.exe") and commandline like "http://sfrclak.com"

    Detection Query 5 :

    resourcename = "Windows Security" and eventtype = "4688" and originalfilename like "PowerShell.EXE" and (commandline like "C:\ProgramData\wt.exe" and commandline like "-w hidden -ep bypass -file")

    Detection Query 6 :

    technologygroup = "EDR" and originalfilename like "PowerShell.EXE" and (commandline like "C:\ProgramData\wt.exe" and commandline like "-w hidden -ep bypass -file")

    Reference:     

     https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_win_axios_npm_compromise_indicators.yml                        


    Tags

    SigmaMalwareRATNode Package Manager (NPM)Supply chain attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.