Tagged Analytics Covering the Axios Compromise Post-Exploitation Activity (#3982)

tccontre · nasbench · web-flow · commit 7293d75700ae · 2026-04-02T16:07:20.000Z
---------

Co-authored-by: Nasreddine Bencherchali &lt;nbencher@cisco.com&gt;
diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 25
-date: '2026-03-16'
+version: 26
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -148,6 +148,7 @@ tags:
         - DynoWiper
         - XML Runner Loader
         - Void Manticore
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1036
diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 21
-date: '2026-03-16'
+version: 22
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -131,6 +131,7 @@ tags:
         - PromptFlux
         - XML Runner Loader
         - Void Manticore
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1036
diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml
@@ -1,7 +1,7 @@
 name: Linux Auditd File Permission Modification Via Chmod
 id: 5f1d2ea7-eec0-4790-8b24-6875312ad492
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
 author: "Teoderick Contreras, Splunk, Ivar Nygård"
 status: production
 type: Anomaly
@@ -45,6 +45,7 @@ tags:
         - XorDDos
         - Salt Typhoon
         - Linux Privilege Escalation
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1222.002
diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml
@@ -1,7 +1,7 @@
 name: Linux Auditd Possible Access To Credential Files
 id: 0419cb7a-57ea-467b-974f-77c303dfe2a3
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -44,6 +44,7 @@ tags:
         - China-Nexus Threat Activity
         - Salt Typhoon
         - Linux Privilege Escalation
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1003.008
diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml
@@ -1,7 +1,7 @@
 name: Linux Common Process For Elevation Control
 id: 66ab15c0-63d0-11ec-9e70-acde48001122
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -38,6 +38,7 @@ tags:
         - Linux Living Off The Land
         - Salt Typhoon
         - Linux Privilege Escalation
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1548.001
diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml
@@ -1,7 +1,7 @@
 name: Linux Ingress Tool Transfer Hunting
 id: 52fd468b-cb6d-48f5-b16a-92f1c9bb10cf
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-31'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -39,6 +39,7 @@ tags:
         - Linux Living Off The Land
         - XorDDos
         - NPM Supply Chain Compromise
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1105
diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml
@@ -1,15 +1,15 @@
 name: MacOS LOLbin
 id: 58d270fb-5b39-418e-a855-4b8ac046805e
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
 description: The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
 data_source:
     - osquery
 search: |-
-    `osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*")
+    `osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*", "chmod*")
       | rename columns.* as *
       | stats  min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id,  dc(path) as dc_path
         BY username host
@@ -45,6 +45,7 @@ tags:
     analytic_story:
         - Living Off The Land
         - Hellcat Ransomware
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.004
diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml
@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 23
-date: '2026-03-10'
+version: 24
+date: '2026-03-31'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -238,6 +238,7 @@ tags:
         - Hellcat Ransomware
         - Microsoft WSUS CVE-2025-59287
         - MuddyWater
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001
diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
         - Microsoft WSUS CVE-2025-59287
         - NetSupport RMM Tool Abuse
         - MuddyWater
+        - Axios Supply Chain Post Compromise
     mitre_attack_id:
         - T1027
         - T1059.001
diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml
@@ -1,7 +1,7 @@
 name: PowerShell Loading DotNET into Memory via Reflection
 id: 85bc3f30-ca28-11eb-bd21-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
 author: Michael Haag, Teoderick Contreras Splunk
 status: production
 type: Anomaly
@@ -55,6 +55,7 @@ tags:
         - Data Destruction
         - 0bj3ctivity Stealer
         - Hellcat Ransomware
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001
diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml
@@ -1,7 +1,7 @@
 name: Recon Using WMI Class
 id: 018c1972-ca07-11eb-9473-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -64,6 +64,7 @@ tags:
         - Industroyer2
         - Scattered Spider
         - BlankGrabber Stealer
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1592
diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -1,7 +1,7 @@
 name: Registry Keys Used For Persistence
 id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: 30
-date: '2026-03-26'
+version: 31
+date: '2026-03-31'
 author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
 status: production
 type: TTP
@@ -78,6 +78,7 @@ tags:
         - Castle RAT
         - MuddyWater
         - Gh0st RAT
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1547.001
diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml
@@ -1,7 +1,7 @@
 name: Windows Curl Upload to Remote Destination
 id: 42f8f1a2-4228-11ec-aade-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -68,6 +68,7 @@ tags:
         - Microsoft WSUS CVE-2025-59287
         - NPM Supply Chain Compromise
         - PromptLock
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1105
diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml
@@ -1,7 +1,7 @@
 name: Windows Process Execution From ProgramData
 id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0
-version: 7
-date: '2026-02-09'
+version: 8
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -49,6 +49,7 @@ tags:
         - China-Nexus Threat Activity
         - APT37 Rustonotto and FadeStealer
         - GhostRedirector IIS Module and Rungan Backdoor
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1036.005
diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml
@@ -1,7 +1,7 @@
 name: Windows Process Execution in Temp Dir
 id: f6fbe929-4187-4ba4-901e-8a34be838443
-version: 9
-date: '2026-03-26'
+version: 10
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -52,6 +52,7 @@ tags:
         - Lokibot
         - SesameOp
         - Gh0st RAT
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1543
diff --git a/detections/endpoint/windows_renamed_powershell_execution.yml b/detections/endpoint/windows_renamed_powershell_execution.yml
@@ -1,7 +1,7 @@
 name: Windows Renamed Powershell Execution
 id: c08014de-cc5a-42de-9775-76ecd5b37bbd
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
 author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -65,6 +65,7 @@ tags:
     analytic_story:
         - XWorm
         - Hellcat Ransomware
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1036.003
diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml
@@ -1,7 +1,7 @@
 name: Windows Suspicious Process File Path
 id: ecddae4e-3d4b-41e2-b3df-e46a88b38521
-version: 21
-date: '2026-03-16'
+version: 22
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -92,6 +92,7 @@ tags:
         - Castle RAT
         - SesameOp
         - Void Manticore
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1543
diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
@@ -1,7 +1,7 @@
 name: Wscript Or Cscript Suspicious Child Process
 id: 1f35e1da-267b-11ec-90a9-acde48001122
-version: 13
-date: '2026-03-24'
+version: 14
+date: '2026-03-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -60,6 +60,7 @@ tags:
         - ShrinkLocker
         - 0bj3ctivity Stealer
         - MuddyWater
+        - Axios Supply Chain Post Compromise
     asset_type: Endpoint
     mitre_attack_id:
         - T1055
diff --git a/stories/axios_supply_chain_post_compromise.yml b/stories/axios_supply_chain_post_compromise.yml
@@ -0,0 +1,38 @@
+name: Axios Supply Chain Post Compromise
+id: 2b1b0e8f-8674-4544-a209-a52e1ea4c2da
+version: 1
+date: '2026-03-31'
+author: Teoderick Contreras, Splunk
+status: production
+description: |-
+    Leverage searches that help you detect and investigate post-compromise activity that may
+    follow installation of compromised axios npm releases (notably axios@1.14.1 and axios@0.30.4) and the phantom dependency plain-crypto-js@4.2.1 from the March 2026 supply chain incident documented by Huntress, Socket, Step Security, and others.
+
+    The backdoored packages used a malicious postinstall script to drop a cross-platform remote access trojan with Windows, macOS, and Linux payloads, process staging, and command-and-control beaconing. Use these analytics alongside dependency audits and EDR data to scope impact, prioritize containment, and support recovery on hosts that resolved the malicious versions during the exposure window.
+narrative: |-
+    On March 31, 2026, attackers compromised the npm account of the lead axios maintainer and published two trojanized releases: axios@1.14.1 (tagged latest) and axios@0.30.4 (tagged legacy).
+
+    The packages introduced a dependency that legitimate axios never used—plain-crypto-js@4.2.1—whose sole purpose was to run a postinstall script that downloaded and executed a cross-platform RAT.
+
+    axios is one of the most widely used JavaScript HTTP clients, so CI/CD jobs, developer workstations, and applications that ran npm install during the roughly three-hour window could have pulled the malicious builds automatically, especially where semver caret ranges allowed the new versions to resolve without a locked lockfile.
+
+    Infection required no end-user action: installing dependencies was enough to trigger the dropper. Reporting from Huntress and the community noted infections beginning within minutes of publication, consistent with automated pipelines and local installs resolving ^1.x or similar ranges.
+
+    The dropper used obfuscation and post-execution cleanup (for example, replacing package metadata so the plain-crypto-js folder looked benign), which makes disk evidence easy to miss and raises the value of process, script, and network telemetry for confirming compromise on a host.
+
+    After the initial drop, platform-specific tradecraft unfolded—such as staging scripts under temp paths, abusing trusted interpreters, and beaconing to remote infrastructure. These behaviors are the post-compromise phase this story emphasizes: moving from a poisoned package install to hands-on access, reconnaissance, and persistence-style activity on Windows, macOS, or Linux endpoints. Detections aligned to this narrative help teams find execution chains that may not explicitly mention axios or npm in every event.
+
+    Organizations should treat any system that installed the known bad versions during the incident window as potentially breached: validate lockfiles and SBOMs, rotate credentials and tokens that could have been exposed on those machines, and hunt using the bundled analytics plus C2 and IOC lists from vendor advisories. Pairing these searches with asset and dependency inventory reduces blind spots where transitive JavaScript dependencies updated in the background.
+references:
+    - https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
+    - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
+    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
+    - https://socket.dev/blog/axios-npm-package-compromised
+tags:
+    category:
+        - Malware
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    usecase: Advanced Threat Detection
