BETA DETECTION: NPM Axios Supply Chain Anomalous IE8 User Agent

name: Axios Supply Chain Anomalous IE8 User Agent with npm Registry POST Body Mimicry Analytic
category: 'Command and Control'
threatname: 'Application Layer Protocol: Web Protocols'
functionality: 'Web Proxy'
description: |
  Detects the C2 beacon pattern used across all three platform variants (macOS, Windows, Linux)
  of the axios supply chain RAT. All variants share an identical and highly anomalous User-Agent
  string mimicking Internet Explorer 8 on Windows XP (mozilla/4.0 compatible; msie 8.0;
  windows nt 5.1; trident/4.0) — a combination effectively extinct in 2026. POST request bodies
  are designed to blend with npm registry traffic by prefixing packages.npm.org/product0|1|2,
  however npm.org is not the npm registry; it belongs to the National Pastoral Musicians
  organization. The C2 endpoint sfrclak[.]com listens on port 8000 (non-standard) and routes
  platform-specific payloads based on the product suffix. The 60-second beacon interval and
  Base64-encoded JSON body structure are consistent across platforms. The IE8/WinXP UA paired
  with HTTP POST to port 8000 is a reliable high-fidelity indicator across all sensor types.
reference:
  - https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
  - https://socket.dev/blog/axios-npm-package-compromised
labels:
  - attack.command_and_control
  - attack.t1071.001
  - attack.t1001
  - axios
  - supply_chain
  - c2_beacon
  - user_agent_evasion
logsource:
  product: Web Proxy
  category: proxy
detection:
  selection_legacy_ua:
    UserAgent|contains|all:
      - 'msie 8.0'
      - 'windows nt 5.1'
      - 'trident/4.0'
  selection_npm_mimicry:
    HttpRequestBody|contains:
      - 'packages.npm.org/product0'
      - 'packages.npm.org/product1'
      - 'packages.npm.org/product2'
  selection_c2_ioc:
    DomainName|contains:
      - 'sfrclak.com'
    DestinationPort: 8000
  condition: selection_legacy_ua or selection_npm_mimicry or selection_c2_ioc
criticality: Critical
saveasthreat: false

violation_summary:
  grouping_attribute: 'accountname'
  level2_attribute: 'devicehostname'
  level2_metadata_attributes:

TECHNICAL DETAILS:

    C2 infrastructure:
      Domain: sfrclak[.]com
      IP:     142.11.206.73
      Port:   8000
      Path:   /6202033  (campaign ID — reversed = 3-30-2026)

    POST body per platform (C2 routing):
      macOS:   packages.npm.org/product0
      Windows: packages.npm.org/product1
      Linux:   packages.npm.org/product2

    RAT beacon structure (all platforms):
      Method:     HTTP POST
      User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)
      Body:       Base64-encoded JSON with hostname, username, OS, timezone, HW, processes
      Interval:   60 seconds
      Signals:    "Wow" (active) / "Zzz" (idle/sleep)

    The packages.npm.org prefix is a deliberate SIEM evasion technique — npm.org
    has belonged to the National Association of Pastoral Musicians since 1997 and
    is not the npm package registry (registry.npmjs.org).

    Any IE8/WinXP User-Agent in a modern enterprise proxy log is anomalous at baseline.
    The npm.org POST body mimicry selector is uniquely specific to this campaign.

Policy building walkthrough can be found in this previous post:

https://connect.securonix.com/threat%2Dresearch%2Dintelligence%2D62/beta%2Ddetection%2Dtelnyx%2Dteampcp%2Dcredential%2Dexfiltration%2D241