{ "type": "SHA1", "indicator": "2553649f2322049666871cea80a5d0d6adc700ca", "general": { "sections": [ "general", "analysis" ], "type": "sha1", "type_title": "FileHash-SHA1", "indicator": "2553649f2322049666871cea80a5d0d6adc700ca", "validation": [], "base_indicator": { "id": 4290451638, "indicator": "21d2470cae072cf2d027d473d168158c", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69cda35868f6af78fc09b167", "name": "Threat Brief: Widespread Impact of the Axios Supply Chain Attack", "description": "A sophisticated supply chain attack compromised the Axios JavaScript library after threat actors hijacked an npm maintainer account, releasing malicious versions v1.14.1 and v0.30.4. These versions contained a hidden dependency called plain-crypto-js, which deployed a cross-platform remote access Trojan affecting Windows, macOS, and Linux systems. The malware performed reconnaissance, established persistence, and included self-destruct capabilities for evasion. Using a heavily obfuscated dropper script, the attack fetched platform-specific payloads from a command-and-control server while disguising traffic as legitimate npm registry requests. All variants shared identical C2 protocols and beaconed every 60 seconds. The campaign impacted multiple sectors across the U.S., Europe, Middle East, South Asia, and Australia, with analysis showing overlap with DPRK-linked operations.", "modified": "2026-04-08T10:55:07.494000", "created": "2026-04-01T22:59:36.602000", "tags": [ "javascript trojan", "dprk attribution", "supply chain attack", "axios library", "cross-platform rat", "plain-crypto-js", "waveshaper", "waveshaper overlap", "npm hijacking" ], "references": [ "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WAVESHAPER", "display_name": "WAVESHAPER", "target": null }, { "id": "plain-crypto-js", "display_name": "plain-crypto-js", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 24, "URL": 2, "domain": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 376731, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cf03e05f6b299dc3efd2cd", "name": "Securing the Supply Chain: How SentinelOne's AI EDR Stops the ...", "description": "On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments.", "modified": "2026-04-03T16:45:59.385000", "created": "2026-04-03T00:03:44.645000", "tags": [], "references": [ "https://www.sentinelone.com/blog/securing-the-supply-chain-how-sentinelones-ai-edr-stops-the-axios-attack-autonomously/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 4 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 376734, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cd1aa5d630ea626fc62588", "name": "Axios Front-End Library npm Supply Chain Poisoning Alert", "description": "On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible.", "modified": "2026-04-01T15:05:14.873000", "created": "2026-04-01T13:16:21.862000", "tags": [ "supply chain attack", "supply chain", "axios", "npm" ], "references": [ "https://nsfocusglobal.com/axios-front-end-library-npm-supply-chain-poisoning-alert/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 1, "domain": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 376733, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cbb6559ec175684e1e7611", "name": "Axios NPM Distribution Compromised in Supply Chain Attack", "description": "An unknown threat actor compromised the npm account of an axios maintainer, publishing two malicious versions of the package. These versions introduced a dependency on plain-crypto-js, a newly created malicious package. Despite quick removal, axios's widespread usage led to rapid exposure. The malicious package includes a dropper that downloads and executes platform-specific second-stage payloads, functioning as remote access trojans. These payloads can execute remote shells, inject binaries, browse directories, list processes, and perform system reconnaissance. Organizations are advised to audit their environments, remove malicious artifacts, rotate exposed credentials, investigate potential compromise paths, and monitor for suspicious activity.", "modified": "2026-04-01T13:19:33.871000", "created": "2026-03-31T11:56:05.696000", "tags": [ "npm", "remote access trojan", "supply chain attack", "axios", "credential compromise", "plain-crypto-js" ], "references": [ "https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 376734, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69cbf7d7db7968b35905f4fe", "name": "Supply-Chain Compromise of axios npm Package", "description": "A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's npm account, bypassing normal publishing workflows. The malicious payload performed system reconnaissance, established persistence on Windows, and provided remote access capabilities. The attack affected numerous organizations and potentially exposed sensitive credentials. Immediate mitigation steps include pinning to safe versions, removing malicious dependencies, rotating credentials, and blocking the command and control server.", "modified": "2026-03-31T18:35:03.196000", "created": "2026-03-31T16:35:35.338000", "tags": [ "remote-access-trojan", "credential-theft", "axios", "cross-platform", "supply-chain", "remote access trojan", "npm" ], "references": [ "https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 376733, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69d33ab7ea748feb1c34bdaa", "name": "Securing the Supply Chain: How SentinelOne's AI EDR Stops the ...", "description": "", "modified": "2026-04-06T04:46:47.506000", "created": "2026-04-06T04:46:47.506000", "tags": [], "references": [ "https://www.sentinelone.com/blog/securing-the-supply-chain-how-sentinelones-ai-edr-stops-the-axios-attack-autonomously/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69cf03e05f6b299dc3efd2cd", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 4 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 262, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-04-04T15:58:19.293000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "IPv4": 18, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69d0ba829243f1b1b38fec17", "name": "awddfgbdfg", "description": "", "modified": "2026-04-04T07:15:14.021000", "created": "2026-04-04T07:15:14.021000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 8, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-01T16:41:28.726000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 693, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cca0caa840abf89b1e6927", "name": "Supply-Chain Compromise of axios npm Package", "description": "", "modified": "2026-04-01T04:36:26.774000", "created": "2026-04-01T04:36:26.774000", "tags": [ "remote-access-trojan", "credential-theft", "axios", "cross-platform", "supply-chain", "remote access trojan", "npm" ], "references": [ "https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69cbf7d7db7968b35905f4fe", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 262, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cb5bdac50914ba42a0f6c3", "name": "Axios Package Hijacked to Execute Remote Access Attacks", "description": "", "modified": "2026-03-31T10:20:13.160000", "created": "2026-03-31T05:30:02.099000", "tags": [ "windows", "github actions", "linux", "c2 url", "hardenrunner", "stepsecurity", "cicd", "post body", "vbscript", "c2 post", "malicious", "powershell", "verify", "macos", "copy", "write", "install", "linux python", "kics", "python" ], "references": [ "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux Python", "display_name": "Linux Python", "target": null }, { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": "69cb5652f7631ef4d5db41fb", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ThreatIntelligence_feed", "id": "376862", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 5, "IPv4": 1, "URL": 10, "domain": 2, "email": 2, "hostname": 4 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cb5652f7631ef4d5db41fb", "name": "Axios Package Hijacked to Execute Remote Access Attacks", "description": "A popular HTTP client library, axios, has been compromised by an attacker who published two malicious versions of the library on the npm platform.. and then published them on its own GitHub Actions.", "modified": "2026-03-31T05:06:26.350000", "created": "2026-03-31T05:06:26.350000", "tags": [ "windows", "github actions", "linux", "c2 url", "hardenrunner", "stepsecurity", "cicd", "post body", "vbscript", "c2 post", "malicious", "powershell", "verify", "macos", "copy", "write", "install", "linux python", "kics", "python" ], "references": [ "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux Python", "display_name": "Linux Python", "target": null }, { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 5, "IPv4": 1, "URL": 10, "domain": 3, "email": 2, "hostname": 4 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://nsfocusglobal.com/axios-front-end-library-npm-supply-chain-poisoning-alert/", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.sentinelone.com/blog/securing-the-supply-chain-how-sentinelones-ai-edr-stops-the-axios-attack-autonomously/", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/", "IOCs.2026.pdf", "https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://socket.dev/blog/axios-npm-package-compromised", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Waveshaper", "Plain-crypto-js" ], "industries": [] }, "other": { "adversary": [ "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT" ], "malware_families": [ "Kics", "Linux python", "Python" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69cda35868f6af78fc09b167", "name": "Threat Brief: Widespread Impact of the Axios Supply Chain Attack", "description": "A sophisticated supply chain attack compromised the Axios JavaScript library after threat actors hijacked an npm maintainer account, releasing malicious versions v1.14.1 and v0.30.4. These versions contained a hidden dependency called plain-crypto-js, which deployed a cross-platform remote access Trojan affecting Windows, macOS, and Linux systems. The malware performed reconnaissance, established persistence, and included self-destruct capabilities for evasion. Using a heavily obfuscated dropper script, the attack fetched platform-specific payloads from a command-and-control server while disguising traffic as legitimate npm registry requests. All variants shared identical C2 protocols and beaconed every 60 seconds. The campaign impacted multiple sectors across the U.S., Europe, Middle East, South Asia, and Australia, with analysis showing overlap with DPRK-linked operations.", "modified": "2026-04-08T10:55:07.494000", "created": "2026-04-01T22:59:36.602000", "tags": [ "javascript trojan", "dprk attribution", "supply chain attack", "axios library", "cross-platform rat", "plain-crypto-js", "waveshaper", "waveshaper overlap", "npm hijacking" ], "references": [ "https://unit42.paloaltonetworks.com/axios-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WAVESHAPER", "display_name": "WAVESHAPER", "target": null }, { "id": "plain-crypto-js", "display_name": "plain-crypto-js", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 24, "URL": 2, "domain": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 376731, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cf03e05f6b299dc3efd2cd", "name": "Securing the Supply Chain: How SentinelOne's AI EDR Stops the ...", "description": "On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments.", "modified": "2026-04-03T16:45:59.385000", "created": "2026-04-03T00:03:44.645000", "tags": [], "references": [ "https://www.sentinelone.com/blog/securing-the-supply-chain-how-sentinelones-ai-edr-stops-the-axios-attack-autonomously/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 4 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 376734, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cd1aa5d630ea626fc62588", "name": "Axios Front-End Library npm Supply Chain Poisoning Alert", "description": "On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible.", "modified": "2026-04-01T15:05:14.873000", "created": "2026-04-01T13:16:21.862000", "tags": [ "supply chain attack", "supply chain", "axios", "npm" ], "references": [ "https://nsfocusglobal.com/axios-front-end-library-npm-supply-chain-poisoning-alert/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 1, "domain": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 376733, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cbb6559ec175684e1e7611", "name": "Axios NPM Distribution Compromised in Supply Chain Attack", "description": "An unknown threat actor compromised the npm account of an axios maintainer, publishing two malicious versions of the package. These versions introduced a dependency on plain-crypto-js, a newly created malicious package. Despite quick removal, axios's widespread usage led to rapid exposure. The malicious package includes a dropper that downloads and executes platform-specific second-stage payloads, functioning as remote access trojans. These payloads can execute remote shells, inject binaries, browse directories, list processes, and perform system reconnaissance. Organizations are advised to audit their environments, remove malicious artifacts, rotate exposed credentials, investigate potential compromise paths, and monitor for suspicious activity.", "modified": "2026-04-01T13:19:33.871000", "created": "2026-03-31T11:56:05.696000", "tags": [ "npm", "remote access trojan", "supply chain attack", "axios", "credential compromise", "plain-crypto-js" ], "references": [ "https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 376734, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69cbf7d7db7968b35905f4fe", "name": "Supply-Chain Compromise of axios npm Package", "description": "A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's npm account, bypassing normal publishing workflows. The malicious payload performed system reconnaissance, established persistence on Windows, and provided remote access capabilities. The attack affected numerous organizations and potentially exposed sensitive credentials. Immediate mitigation steps include pinning to safe versions, removing malicious dependencies, rotating credentials, and blocking the command and control server.", "modified": "2026-03-31T18:35:03.196000", "created": "2026-03-31T16:35:35.338000", "tags": [ "remote-access-trojan", "credential-theft", "axios", "cross-platform", "supply-chain", "remote access trojan", "npm" ], "references": [ "https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 376733, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69d33ab7ea748feb1c34bdaa", "name": "Securing the Supply Chain: How SentinelOne's AI EDR Stops the ...", "description": "", "modified": "2026-04-06T04:46:47.506000", "created": "2026-04-06T04:46:47.506000", "tags": [], "references": [ "https://www.sentinelone.com/blog/securing-the-supply-chain-how-sentinelones-ai-edr-stops-the-axios-attack-autonomously/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69cf03e05f6b299dc3efd2cd", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 4 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 262, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-04-04T15:58:19.293000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "IPv4": 18, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 264, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69d0ba829243f1b1b38fec17", "name": "awddfgbdfg", "description": "", "modified": "2026-04-04T07:15:14.021000", "created": "2026-04-04T07:15:14.021000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 8, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-01T16:41:28.726000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 693, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69cca0caa840abf89b1e6927", "name": "Supply-Chain Compromise of axios npm Package", "description": "", "modified": "2026-04-01T04:36:26.774000", "created": "2026-04-01T04:36:26.774000", "tags": [ "remote-access-trojan", "credential-theft", "axios", "cross-platform", "supply-chain", "remote access trojan", "npm" ], "references": [ "https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69cbf7d7db7968b35905f4fe", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 262, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "2553649f2322049666871cea80a5d0d6adc700ca", "type": "Hash" }, "abuseipdb": null, "urlhaus": null, "from_cache": true, "_cached_at": 1776250987.2401311 }