{ "Event": { "analysis": "1", "date": "2026-04-01", "extends_uuid": "", "info": "[Threat Intel] Inside the Axios supply chain compromise - one RAT to rule them all", "protected": false, "publish_timestamp": "1775970094", "published": true, "threat_level_id": "2", "timestamp": "1775970093", "uuid": "a5cb50f9-cd08-432b-8ea5-fcd7fdbd1dbe", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5f1b93", "local": false, "name": "misp-galaxy:producer=\"Elastic\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#4e6a0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Window - T1143\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#89bea3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"AppleScript - T1059.002\"", "relationship_type": "" }, { "colour": "#201172", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775098817", "to_ids": false, "type": "link", "uuid": "e12f574a-d60f-46ea-a7bd-75d2743b9f86", "value": "https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775098817", "to_ids": false, "type": "text", "uuid": "dc61c0b5-49d4-49c4-a399-597e76fc595c", "value": "Elastic Security Labs identified a supply chain compromise of the axios npm package, one of the most depended-upon packages in the JavaScript ecosystem with approximately 100 million weekly downloads. The attacker compromised a maintainer account and published backdoored versions that delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems through a malicious postinstall hook." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775098817", "to_ids": false, "type": "text", "uuid": "61f19983-5076-4b4e-8a04-781d239b9be7", "value": "Name: Inside the Axios supply chain compromise - one RAT to rule them all\nAuthor: AlienVault\nAdversary: \nTags: [\"Supply Chain Attack\", \"npm Package Compromise\", \"JavaScript\", \"axios\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1027\", \"T1036\", \"T1143\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965722", "to_ids": true, "type": "domain", "uuid": "83475c53-a556-4beb-9c20-96225bc5b473", "value": "sfrclak.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965743", "to_ids": true, "type": "ip-dst", "uuid": "c660e9be-10f2-451f-bf80-a3e8370ab081", "value": "142.11.206.73", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965764", "uuid": "7a13f78b-3e16-448e-8fde-23ce74f59996", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965764", "to_ids": true, "type": "md5", "uuid": "9c1c6ba2-c8b4-4dba-9949-58bc9649e036", "value": "04e3073b3cd5c5bfcde6f575ecf6e8c1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964157", "to_ids": true, "type": "sha1", "uuid": "4028a625-41d4-4a41-b6b5-cd5e2e4f0371", "value": "a90c26e7cbb3440ac1cad75cf351cbedef7744a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964158", "to_ids": true, "type": "sha256", "uuid": "3557400f-132a-4e6f-969c-f664ace79feb", "value": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963491", "to_ids": true, "type": "ssdeep", "uuid": "044fe84f-a446-42ac-a5b1-895cfde22a66", "value": "192:b9u9gG89mD+SOzuahCnGX1pybp0j5PWFmFBiMluIY26qb7cTOXAWumPTvCfuYRNI:b4KG8MwzuaEnGDPWFsBiM9Yy/LCfj7H6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963491", "to_ids": false, "type": "size-in-bytes", "uuid": "dd6525c2-017f-4d01-93ae-b0c83980fe6c", "value": "11042" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963491", "to_ids": true, "type": "vhash", "uuid": "1c2d2635-ae87-47f2-ab94-437617671abd", "value": "58929cf2b703de329505bcef391d8dcb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963491", "to_ids": true, "type": "filename", "uuid": "1a0c72df-3fe8-445b-ab3f-0cefed083169", "value": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101.ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963491", "to_ids": false, "type": "text", "uuid": "494766fc-b09c-47e1-83e6-26c16bb4b992", "value": "Type Description: Powershell\nMicrosoft: Backdoor:PowerShell/TalonStrike.B!dha\nVT Total Detection:35/62\nFirst Submission:2026-03-31T02:52:21.000000+00:00\nLast Submission:2026-04-02T07:10:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965785", "uuid": "e0b02cb7-009d-4360-a0e1-950ab77934f9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965785", "to_ids": true, "type": "md5", "uuid": "651bd9d3-3966-40fc-8dee-e14e1b57cb92", "value": "7a9ddef00f69477b96252ca234fcbeeb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964158", "to_ids": true, "type": "sha1", "uuid": "1c3021a6-aeaf-4459-99e8-d24dfca80992", "value": "13ab317c5dcab9af2d1bdb22118b9f09f8a4038e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964158", "to_ids": true, "type": "sha256", "uuid": "09c0b8ae-79d0-417d-b3f9-e64c832085cb", "value": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963513", "to_ids": true, "type": "ssdeep", "uuid": "bb099f91-da7d-40de-89c5-ed98c7f0c7dc", "value": "6144:xjazCtUlrLxJnzsOOAx2Y+AktJgRESAtxVZS63vYdCzsbAkuNjepym:xjazCtyJcYKgRESAT93AdUjepym" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963513", "to_ids": false, "type": "size-in-bytes", "uuid": "ab8231ac-b2a1-43f7-9455-ee6f23257e5d", "value": "657424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963513", "to_ids": true, "type": "vhash", "uuid": "6744a3c3-9f29-4974-a6b8-fc515089925c", "value": "5888402d25bc5f77c7c3d92ca5d30997" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963513", "to_ids": true, "type": "filename", "uuid": "4b8883ee-2be5-43dd-b305-17ba1195029c", "value": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a.macho" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963513", "to_ids": false, "type": "text", "uuid": "cf9bde57-74b7-4f41-90c8-0494b4d994a4", "value": "Type Description: Mach-O\nMicrosoft: Backdoor:MacOS/TalonStrike.A!dha\nVT Total Detection:36/64\nFirst Submission:2026-03-31T01:05:29.000000+00:00\nLast Submission:2026-04-08T14:55:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965806", "uuid": "fd88fe1c-a08e-46dc-a543-1defbb4b1e4c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965806", "to_ids": true, "type": "md5", "uuid": "97dba674-668c-4364-87ec-f4ca08259e32", "value": "9663665850cdd8fe12e30a671e5c4e6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964159", "to_ids": true, "type": "sha1", "uuid": "85055ba4-d1e0-42d6-905d-f59f1779132c", "value": "59faac136680104948e083b3b67a70af9bfa5d5e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964159", "to_ids": true, "type": "sha256", "uuid": "812b505e-dfe0-497f-97eb-9bafc6c764d2", "value": "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963534", "to_ids": true, "type": "ssdeep", "uuid": "286e83b3-8c9f-4eb4-aca0-bbd2a08308c6", "value": "192:V+OTSQFF3MjzSCII7s32HaYo5uuFe0+60U2WICd/tPQTnd/Y+cLL2dPj47Hp79Bb:V+OTJRCII7sRdI8mT+IkUAsQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963534", "to_ids": false, "type": "size-in-bytes", "uuid": "f5a524c6-3742-42d1-934b-c1f4241dfd5a", "value": "12323" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963534", "to_ids": true, "type": "filename", "uuid": "dfbb7c62-3afc-42ed-9824-d608cc20c91b", "value": "__fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf.py" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963534", "to_ids": false, "type": "text", "uuid": "55f34c5e-eaf2-48d9-8b96-febfed53883f", "value": "Type Description: Python\nMicrosoft: Backdoor:Python/TalonStrike.C!dha\nVT Total Detection:36/63\nFirst Submission:2026-03-31T02:52:31.000000+00:00\nLast Submission:2026-04-08T13:20:07.000000+00:00" } ] } ] } }