{ "Event": { "analysis": "1", "date": "2026-04-09", "extends_uuid": "", "info": "[Threat Intel] NPM Package Supply Chain Compromise Leads to RAT Deployment", "protected": false, "publish_timestamp": "1776175458", "published": true, "threat_level_id": "2", "timestamp": "1776175458", "uuid": "bf77eb24-78b7-4d28-ba70-92ade79220f8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#9c8729", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#a42e64", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#f055aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create Account - T1136\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775818815", "to_ids": false, "type": "link", "uuid": "157f8d22-b865-44c7-aac6-712d80d02701", "value": "https://www.levelblue.com/blogs/spiderlabs-blog/axios-npm-package-supply-chain-compromise-leads-to-rat-deployment", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775818815", "to_ids": false, "type": "text", "uuid": "a9580695-d36b-402e-8762-3bdd173db91a", "value": "A supply chain attack targeting the Axios npm package has been identified after threat actors compromised the npm account of the company's lead developer. Malicious versions (axios@1.14.1 and axios@0.30.4) were published containing a hidden dependency that executed postinstall scripts during npm installation. This automated execution downloaded and deployed a remote access trojan on affected systems without requiring user interaction, making it particularly dangerous for developer environments and CI/CD pipelines. The compromise resulted in full remote access capabilities, potential credential exposure including API keys and SSH keys, and possible insertion of malicious code into software builds. Detection platforms identified suspicious process execution chains involving npm spawning command interpreters and network utilities, followed by outbound connections to attacker-controlled infrastructure." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775818815", "to_ids": false, "type": "text", "uuid": "cf460f5b-19f8-4240-a737-e1c1049139b8", "value": "Name: NPM Package Supply Chain Compromise Leads to RAT Deployment\nAuthor: AlienVault\nAdversary: \nTags: [\"axios package\", \"postinstall script\", \"developer environments\", \"rat\", \"npm package compromise\", \"dependency poisoning\", \"ci/cd pipelines\", \"supply chain attack\", \"rat deployment\"]\nTgtd countries: []\nMlwr families: [\"RAT\"]\nAttack_ids: [\"T1078\", \"T1033\", \"T1059.001\", \"T1567\", \"T1083\", \"T1543\", \"T1082\", \"T1552.001\", \"T1021\", \"T1090\", \"T1007\", \"T1059.003\", \"T1213\", \"T1056\", \"T1071.001\", \"T1057\", \"T1027\", \"T1195.002\", \"T1105\", \"T1136\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167656", "to_ids": true, "type": "domain", "uuid": "9cbc1c08-1d80-46d5-b34f-63ae69d830bd", "value": "sfrclak.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167677", "uuid": "5f49a845-3305-49dd-bcdb-d1729d083251", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167677", "to_ids": true, "type": "md5", "uuid": "0bdd540f-7845-4b7a-a481-20657c727b13", "value": "04e3073b3cd5c5bfcde6f575ecf6e8c1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167001", "to_ids": true, "type": "sha1", "uuid": "4906f66f-c974-4c0d-9e89-6237bf99b368", "value": "a90c26e7cbb3440ac1cad75cf351cbedef7744a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167001", "to_ids": true, "type": "sha256", "uuid": "edc97a3d-6aef-42b6-af0d-205dba02046a", "value": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072318", "to_ids": true, "type": "ssdeep", "uuid": "69a6f2be-0f0c-4bd0-9554-b0eabb090dc5", "value": "192:b9u9gG89mD+SOzuahCnGX1pybp0j5PWFmFBiMluIY26qb7cTOXAWumPTvCfuYRNI:b4KG8MwzuaEnGDPWFsBiM9Yy/LCfj7H6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072318", "to_ids": false, "type": "size-in-bytes", "uuid": "fc5b5f55-c38a-434b-a16a-b201c960a7ee", "value": "11042" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776072318", "to_ids": true, "type": "vhash", "uuid": "617cb7d9-42c8-4dcc-bfa8-7da97668ec52", "value": "58929cf2b703de329505bcef391d8dcb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072318", "to_ids": true, "type": "filename", "uuid": "2399cfbe-ce31-47c6-b7f3-493459108af8", "value": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101.ps1" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072318", "to_ids": false, "type": "text", "uuid": "1446dbb0-4353-4dd6-9b66-ba985d78a5ef", "value": "Type Description: Powershell\nMicrosoft: Backdoor:PowerShell/TalonStrike.B!dha\nVT Total Detection:36/62\nFirst Submission:2026-03-31T02:52:21.000000+00:00\nLast Submission:2026-04-02T07:10:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167698", "uuid": "ec90c70b-323d-42ab-aaed-c5ba310acf12", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167698", "to_ids": true, "type": "md5", "uuid": "13c7e043-194a-49af-877d-ad667edb77b7", "value": "7658962ae060a222c0058cd4e979bfa1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167003", "to_ids": true, "type": "sha1", "uuid": "1cd2d006-9077-492a-99d2-db41527450c0", "value": "b0e0f12f1be57dc67fa375e860cedd19553c464d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167003", "to_ids": true, "type": "sha256", "uuid": "72b3f83c-c0b5-4de8-8883-9bf887c5f887", "value": "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072340", "to_ids": true, "type": "ssdeep", "uuid": "f3ef2a24-4bee-4bdf-a741-8968c70beb8c", "value": "96:V0BwY31H/x2Nov7NMUtjlNU0kCsSuckO6Jg5yD8pm:V07H/x2NSBNxjl4S9t5yopm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072340", "to_ids": false, "type": "size-in-bytes", "uuid": "8b25fdd1-519c-4675-a3b7-0417b23dece5", "value": "4209" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776072340", "to_ids": true, "type": "vhash", "uuid": "a11fa4c9-b357-4983-a636-3448d36a6880", "value": "38941ec9dea7b975f11cc8643b2a9926" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072340", "to_ids": true, "type": "filename", "uuid": "d77c4eee-4717-4e94-8580-e58fde6a0c6b", "value": "setup.js" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072340", "to_ids": false, "type": "text", "uuid": "5c735274-e686-43c0-83e0-fbabc3823e56", "value": "Type Description: JavaScript\nMicrosoft: TrojanDownloader:JS/TalonStrike.D!dha\nVT Total Detection:34/62\nFirst Submission:2026-03-31T04:19:15.000000+00:00\nLast Submission:2026-04-13T05:05:13.000000+00:00" } ] } ] } }