BETA DETECTION: NPM Axios Supply Chain Compromise

name: Axios Supply Chain - npm Lifecycle Hook Spawning VBScript Dropper Analytic
category: 'Execution'
threatname: 'Command and Scripting Interpreter: Visual Basic'
functionality: 'Endpoint Management Systems'
description: |
  Detects npm or Node.js processes spawning cscript.exe or wscript.exe to execute a
  VBScript file from a temporary directory, consistent with the malicious postinstall
  lifecycle hook in plain-crypto-js@4.2.1 — the phantom dependency injected into the
  backdoored axios@1.14.1 and axios@0.30.4 packages. The dropper (setup.js) writes a
  hidden-window VBScript to %TEMP% that copies powershell.exe to %PROGRAMDATA%\wt.exe
  and fetches the stage-2 PowerShell RAT from the C2 at sfrclak[.]com:8000. The VBScript
  self-deletes after execution to reduce forensic artifacts. Any npm install process
  that spawns a VBScript interpreter against a temp-resident .vbs file should be considered
  highly suspicious and is not consistent with legitimate package installation behavior.
reference:
  - https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
  - https://socket.dev/blog/axios-npm-package-compromised
  - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
  - https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
labels:
  - attack.execution
  - attack.t1059.005
  - attack.t1195.002
  - axios
  - plain-crypto-js
  - supply_chain
  - npm_lifecycle_hook
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent_npm:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
      - '\npm.exe'
      - '\npx.cmd'
      - '\npx.exe'
  selection_vbs_interpreter:
    Image|endswith:
      - '\cscript.exe'
      - '\wscript.exe'
  selection_temp_vbs:
    CommandLine|contains:
      - '\AppData\Local\Temp\'
      - '\Windows\Temp\'
      - '%TEMP%'
    CommandLine|endswith:
      - '.vbs'
  condition: selection_parent_npm and selection_vbs_interpreter and selection_temp_vbs
criticality: Critical
saveasthreat: true

violation_summary:
  grouping_attribute: 'accountname'
  level2_attribute: 'devicehostname'
  level2_metadata_attributes:

TECHNICAL DETAILS:

    Attack chain observed by Huntress SOC:
    node setup.js
      → cmd.exe
        → cscript.exe %TEMP%\6202033.vbs   ← THIS RULE FIRES HERE
          → cmd.exe
            → curl (POST to sfrclak[.]com:8000/6202033)
            → writes %TEMP%\6202033.ps1
            → wt.exe -w hidden -ep bypass -file %TEMP%\6202033.ps1
            → deletes 6202033.ps1
            → deletes 6202033.vbs

    The VBScript uses window style 0 (hidden window) to suppress any visible execution.
    Campaign identifier in filenames: 6202033 (reversed = 3-30-2026, the attack date).

    Malicious packages:
      axios@1.14.1   SHA1: 2553649f2322049666871cea80a5d0d6adc700ca
      axios@0.30.4   SHA1: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
      plain-crypto-js@4.2.1  SHA1: 07d889e2dadce6f3910dcbc253317d28ca61c766

    False positives:
      - Unlikely. npm should never spawn VBScript interpreters during package installation.
        Any match warrants immediate investigation.

Policy building walkthrough can be found in this previous post:

https://connect.securonix.com/threat%2Dresearch%2Dintelligence%2D62/beta%2Ddetection%2Dtelnyx%2Dteampcp%2Dcredential%2Dexfiltration%2D241