{ "Event": { "analysis": "1", "date": "2026-04-01", "extends_uuid": "", "info": "[Threat Intel] Axios Front-End Library npm Supply Chain Poisoning Alert", "protected": false, "publish_timestamp": "1775970122", "published": true, "threat_level_id": "2", "timestamp": "1775970121", "uuid": "5fbc81c5-8191-45a3-b20c-c47128c13315", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775098824", "to_ids": false, "type": "link", "uuid": "6096d95e-cd16-489b-b3ad-67455cd557ac", "value": "https://nsfocusglobal.com/axios-front-end-library-npm-supply-chain-poisoning-alert/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775098824", "to_ids": false, "type": "text", "uuid": "f9fd5076-a4c3-4da8-9a9c-a1e09fdcd55c", "value": "On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775098824", "to_ids": false, "type": "text", "uuid": "fc237ae9-fd8d-427f-bafb-a5f81b23c6dc", "value": "Name: Axios Front-End Library npm Supply Chain Poisoning Alert\nAuthor: AlienVault\nAdversary: \nTags: [\"supply chain attack\", \"supply chain\", \"axios\", \"npm\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775964184", "to_ids": true, "type": "sha1", "uuid": "72f60bb9-2a77-4188-8c63-d5aaa8ec0435", "value": "d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775966445", "to_ids": true, "type": "url", "uuid": "bfe47aba-0270-41a1-868e-afd5f6c14a22", "value": "http://sfrclak.com:8000/6202033", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775966466", "to_ids": true, "type": "domain", "uuid": "16f76d71-338f-4bee-86a1-3d0c7620e331", "value": "callnrwise.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775966487", "to_ids": true, "type": "domain", "uuid": "a37a9a45-ec97-40f4-aedf-f54ae8d55a68", "value": "sfrclak.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775966508", "to_ids": true, "type": "ip-dst", "uuid": "80c3e0bb-cb73-4ed9-8ddf-09d9cf9c4172", "value": "142.11.206.73", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775962201", "to_ids": true, "type": "email-src", "uuid": "44a92456-1056-495d-8075-38729af0af22", "value": "nrwise@proton.me" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775962201", "to_ids": true, "type": "email-src", "uuid": "c62a45f6-f231-45a9-b825-2fc2dd5ead68", "value": "ifstap@proton.me" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775966529", "uuid": "15611049-f82f-45b5-882b-178f040cc935", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775966529", "to_ids": true, "type": "md5", "uuid": "3a472c5c-9809-463b-8e0d-69d236e1d285", "value": "db7f4c82c732e8b107492cae419740ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964183", "to_ids": true, "type": "sha1", "uuid": "f99a3ce0-325a-4c46-990d-c3302976f2b4", "value": "07d889e2dadce6f3910dcbc253317d28ca61c766", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964183", "to_ids": true, "type": "sha256", "uuid": "ea9b1db9-ab0d-4454-8ea3-a6e108789dcd", "value": "58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963884", "to_ids": true, "type": "ssdeep", "uuid": "47192be9-4aab-4c70-996b-f787580047d4", "value": "1536:uXG6U0Qn6xK9yaoMZ2NUX6KX1hkKAqFlsaPXOdV2VLbgQvMjCtVpWl+0iium82FM:uWD6MIMAiDXoL6wQg9jQVElKI82Te" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963884", "to_ids": false, "type": "size-in-bytes", "uuid": "a14b633f-39e3-4f5e-a024-8d985f733653", "value": "89868" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963884", "to_ids": true, "type": "vhash", "uuid": "c373b684-0f7a-4fb8-87e9-2512801c9c16", "value": "cd8e4404877b2b40dc62d177414fd4bb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963884", "to_ids": true, "type": "filename", "uuid": "b346fa6d-dcca-46e0-bf5e-1e5a3679570f", "value": "58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668.gz" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963884", "to_ids": false, "type": "text", "uuid": "ed542fba-796e-4ac4-97ae-1594f09d4b3e", "value": "Type Description: GZIP\nMicrosoft: TrojanDownloader:JS/TalonStrike.D!dha\nVT Total Detection:34/63\nFirst Submission:2026-03-31T02:57:22.000000+00:00\nLast Submission:2026-04-08T05:57:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775966550", "uuid": "ca4eb6c9-e2f8-48fb-8c6d-87402e8491d6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775966550", "to_ids": true, "type": "md5", "uuid": "b3215725-fc39-4017-91e0-a80e75fe4e4a", "value": "21d2470cae072cf2d027d473d168158c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964183", "to_ids": true, "type": "sha1", "uuid": "072cb1a3-219d-47ea-b6e1-eb4e2e18db42", "value": "2553649f2322049666871cea80a5d0d6adc700ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964183", "to_ids": true, "type": "sha256", "uuid": "9e56db99-581e-44c0-80f3-775cc9ee97fc", "value": "5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963905", "to_ids": true, "type": "ssdeep", "uuid": "86f1cc60-970a-4fe0-ad05-8d9b0ea8f6eb", "value": "12288:zU1Bd73ORJcXLJGfqLAbDfvIoKi08KAS453HbUyFdDn7xkB8xdUbH:u3jNGfSuLvIqKAjh7b7x+MUz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963905", "to_ids": false, "type": "size-in-bytes", "uuid": "026e33a6-781e-430a-acad-6aba1a42b412", "value": "630301" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963905", "to_ids": true, "type": "vhash", "uuid": "cea712ce-7692-45e3-bb42-e6ee337b43aa", "value": "e5935c4c7d3cc2883bd14332f5e3ea18" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963905", "to_ids": true, "type": "filename", "uuid": "9b342c4c-2a2a-4fb2-bb2c-af062768e969", "value": "axios-1.14.1.tgz" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963905", "to_ids": false, "type": "text", "uuid": "094216bd-721f-48e1-9fab-8b56d9731a5d", "value": "Type Description: GZIP\nMicrosoft: None\nVT Total Detection:22/63\nFirst Submission:2026-03-31T04:08:34.000000+00:00\nLast Submission:2026-04-07T10:40:05.000000+00:00" } ] } ] } }