{ "type": "Domain", "indicator": "package.md", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/package.md", "alexa": "http://www.alexa.com/siteinfo/package.md", "indicator": "package.md", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4287855001, "indicator": "package.md", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd12aea363839ddf9b50f1", "name": "North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | Google Cloud Blog", "description": "A North Korea-Nexus threat actor is targeting a popular JavaScript package, which is used by millions of users, to deliver malware on Windows, macOS, Linux and other operating systems, analysis shows.", "modified": "2026-05-01T12:03:11.950000", "created": "2026-04-01T12:42:22.975000", "tags": [ "unc1069", "iocs", "waveshaper", "monitor", "compromise", "windows", "os version", "file system", "enumeration", "returns", "threat intelligence", "waveshaper.v2", "javascript", "applescript", "linux" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package" ], "public": 1, "adversary": "Threat Intelligence", "targeted_countries": [], "malware_families": [ { "id": "WAVESHAPER.V2", "display_name": "WAVESHAPER.V2", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "AppleScript", "display_name": "AppleScript", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "WAVESHAPER", "display_name": "WAVESHAPER", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 9, "FileHash-SHA256": 14, "URL": 7, "YARA": 2, "domain": 4, "email": 3, "hostname": 1 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5652f7631ef4d5db41fb", "name": "Axios Package Hijacked to Execute Remote Access Attacks", "description": "A popular HTTP client library, axios, has been compromised by an attacker who published two malicious versions of the library on the npm platform.. and then published them on its own GitHub Actions.", "modified": "2026-04-30T05:15:07.067000", "created": "2026-03-31T05:06:26.350000", "tags": [ "windows", "github actions", "linux", "c2 url", "hardenrunner", "stepsecurity", "cicd", "post body", "vbscript", "c2 post", "malicious", "powershell", "verify", "macos", "copy", "write", "install", "linux python", "kics", "python" ], "references": [ "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux Python", "display_name": "Linux Python", "target": null }, { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 5, "URL": 10, "domain": 3, "email": 2, "hostname": 4 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5bdac50914ba42a0f6c3", "name": "Axios Package Hijacked to Execute Remote Access Attacks", "description": "", "modified": "2026-04-30T05:15:07.067000", "created": "2026-03-31T05:30:02.099000", "tags": [ "windows", "github actions", "linux", "c2 url", "hardenrunner", "stepsecurity", "cicd", "post body", "vbscript", "c2 post", "malicious", "powershell", "verify", "macos", "copy", "write", "install", "linux python", "kics", "python" ], "references": [ "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux Python", "display_name": "Linux Python", "target": null }, { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": "69cb5652f7631ef4d5db41fb", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ThreatIntelligence_feed", "id": "376862", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 5, "URL": 10, "domain": 2, "email": 2, "hostname": 4 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://socket.dev/blog/axios-npm-package-compromised", "IOCs.2026.pdf", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "Threat Intelligence" ], "malware_families": [ "Waveshaper.v2", "Javascript", "Applescript", "Linux", "Linux python", "Kics", "Waveshaper", "Python" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd12aea363839ddf9b50f1", "name": "North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | Google Cloud Blog", "description": "A North Korea-Nexus threat actor is targeting a popular JavaScript package, which is used by millions of users, to deliver malware on Windows, macOS, Linux and other operating systems, analysis shows.", "modified": "2026-05-01T12:03:11.950000", "created": "2026-04-01T12:42:22.975000", "tags": [ "unc1069", "iocs", "waveshaper", "monitor", "compromise", "windows", "os version", "file system", "enumeration", "returns", "threat intelligence", "waveshaper.v2", "javascript", "applescript", "linux" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package" ], "public": 1, "adversary": "Threat Intelligence", "targeted_countries": [], "malware_families": [ { "id": "WAVESHAPER.V2", "display_name": "WAVESHAPER.V2", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "AppleScript", "display_name": "AppleScript", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "WAVESHAPER", "display_name": "WAVESHAPER", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 9, "FileHash-SHA256": 14, "URL": 7, "YARA": 2, "domain": 4, "email": 3, "hostname": 1 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5652f7631ef4d5db41fb", "name": "Axios Package Hijacked to Execute Remote Access Attacks", "description": "A popular HTTP client library, axios, has been compromised by an attacker who published two malicious versions of the library on the npm platform.. and then published them on its own GitHub Actions.", "modified": "2026-04-30T05:15:07.067000", "created": "2026-03-31T05:06:26.350000", "tags": [ "windows", "github actions", "linux", "c2 url", "hardenrunner", "stepsecurity", "cicd", "post body", "vbscript", "c2 post", "malicious", "powershell", "verify", "macos", "copy", "write", "install", "linux python", "kics", "python" ], "references": [ "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux Python", "display_name": "Linux Python", "target": null }, { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 5, "URL": 10, "domain": 3, "email": 2, "hostname": 4 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5bdac50914ba42a0f6c3", "name": "Axios Package Hijacked to Execute Remote Access Attacks", "description": "", "modified": "2026-04-30T05:15:07.067000", "created": "2026-03-31T05:30:02.099000", "tags": [ "windows", "github actions", "linux", "c2 url", "hardenrunner", "stepsecurity", "cicd", "post body", "vbscript", "c2 post", "malicious", "powershell", "verify", "macos", "copy", "write", "install", "linux python", "kics", "python" ], "references": [ "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux Python", "display_name": "Linux Python", "target": null }, { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": "69cb5652f7631ef4d5db41fb", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ThreatIntelligence_feed", "id": "376862", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 5, "URL": 10, "domain": 2, "email": 2, "hostname": 4 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "package.md", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "package.md", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780249660.9646764 }