diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 18a8b7ccb1..bc1642237f 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 version: 25 -date: '2026-03-16' +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -148,6 +148,7 @@ tags: - DynoWiper - XML Runner Loader - Void Manticore + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index c371484ab2..ab38f5ae4c 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 version: 21 -date: '2026-03-16' +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -131,6 +131,7 @@ tags: - PromptFlux - XML Runner Loader - Void Manticore + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index 67ae04ca00..eab18aaba5 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permission Modification Via Chmod id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-31' author: "Teoderick Contreras, Splunk, Ivar Nygård" status: production type: Anomaly @@ -45,6 +45,7 @@ tags: - XorDDos - Salt Typhoon - Linux Privilege Escalation + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1222.002 diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 71769f8317..6b514394a9 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,6 +44,7 @@ tags: - China-Nexus Threat Activity - Salt Typhoon - Linux Privilege Escalation + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1003.008 diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index 59c6351239..104ef7014f 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -1,7 +1,7 @@ name: Linux Common Process For Elevation Control id: 66ab15c0-63d0-11ec-9e70-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -38,6 +38,7 @@ tags: - Linux Living Off The Land - Salt Typhoon - Linux Privilege Escalation + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1548.001 diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index dabb156c0d..d35ed5f097 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -1,7 +1,7 @@ name: Linux Ingress Tool Transfer Hunting id: 52fd468b-cb6d-48f5-b16a-92f1c9bb10cf -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-03-31' author: Michael Haag, Splunk status: production type: Hunting @@ -39,6 +39,7 @@ tags: - Linux Living Off The Land - XorDDos - NPM Supply Chain Compromise + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml index 0226b077c3..1d873c15b8 100644 --- a/detections/endpoint/macos_lolbin.yml +++ b/detections/endpoint/macos_lolbin.yml @@ -1,7 +1,7 @@ name: MacOS LOLbin id: 58d270fb-5b39-418e-a855-4b8ac046805e -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-31' author: Patrick Bareiss, Splunk status: production type: TTP @@ -9,7 +9,7 @@ description: The following analytic detects multiple executions of Living off th data_source: - osquery search: |- - `osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") + `osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*", "chmod*") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path BY username host @@ -45,6 +45,7 @@ tags: analytic_story: - Living Off The Land - Hellcat Ransomware + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1059.004 diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index efd8ad0758..d0b242e4d4 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,7 +1,7 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 23 -date: '2026-03-10' +version: 24 +date: '2026-03-31' author: Michael Haag, Splunk status: production type: Hunting @@ -238,6 +238,7 @@ tags: - Hellcat Ransomware - Microsoft WSUS CVE-2025-59287 - MuddyWater + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index f149652fee..3ccf2cd33c 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,7 +1,7 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 17 -date: '2026-03-10' +version: 18 +date: '2026-03-31' author: Michael Haag, Splunk status: production type: TTP @@ -62,6 +62,7 @@ tags: - Microsoft WSUS CVE-2025-59287 - NetSupport RMM Tool Abuse - MuddyWater + - Axios Supply Chain Post Compromise mitre_attack_id: - T1027 - T1059.001 diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 03bb609189..9364b4b9eb 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,7 +1,7 @@ name: PowerShell Loading DotNET into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 15 -date: '2026-03-10' +version: 16 +date: '2026-03-31' author: Michael Haag, Teoderick Contreras Splunk status: production type: Anomaly @@ -55,6 +55,7 @@ tags: - Data Destruction - 0bj3ctivity Stealer - Hellcat Ransomware + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 6e3ae8b76a..104b0da91b 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,7 +1,7 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -64,6 +64,7 @@ tags: - Industroyer2 - Scattered Spider - BlankGrabber Stealer + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1592 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 5750fcfa32..438b6fe16d 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b version: 30 -date: '2026-03-26' +date: '2026-03-31' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -78,6 +78,7 @@ tags: - Castle RAT - MuddyWater - Gh0st RAT + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index fe8d9556d8..0ba8a2bcc0 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -1,7 +1,7 @@ name: Windows Curl Upload to Remote Destination id: 42f8f1a2-4228-11ec-aade-acde48001122 -version: 15 -date: '2026-03-10' +version: 16 +date: '2026-03-31' author: Michael Haag, Splunk status: production type: TTP @@ -68,6 +68,7 @@ tags: - Microsoft WSUS CVE-2025-59287 - NPM Supply Chain Compromise - PromptLock + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index fbc5e8d319..e998605d30 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -1,7 +1,7 @@ name: Windows Process Execution From ProgramData id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0 -version: 7 -date: '2026-02-09' +version: 8 +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -49,6 +49,7 @@ tags: - China-Nexus Threat Activity - APT37 Rustonotto and FadeStealer - GhostRedirector IIS Module and Rungan Backdoor + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1036.005 diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 2c4895236b..34974e0006 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 version: 9 -date: '2026-03-26' +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,6 +52,7 @@ tags: - Lokibot - SesameOp - Gh0st RAT + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_renamed_powershell_execution.yml b/detections/endpoint/windows_renamed_powershell_execution.yml index 4e2a139dfb..2572c76af7 100644 --- a/detections/endpoint/windows_renamed_powershell_execution.yml +++ b/detections/endpoint/windows_renamed_powershell_execution.yml @@ -1,7 +1,7 @@ name: Windows Renamed Powershell Execution id: c08014de-cc5a-42de-9775-76ecd5b37bbd -version: 6 -date: '2026-03-10' +version: 7 +date: '2026-03-31' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: TTP @@ -65,6 +65,7 @@ tags: analytic_story: - XWorm - Hellcat Ransomware + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1036.003 diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 3f2fb93a08..5b4b81962d 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 version: 21 -date: '2026-03-16' +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: TTP @@ -92,6 +92,7 @@ tags: - Castle RAT - SesameOp - Void Manticore + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index 70552286ad..5f0eedc9fc 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,7 +1,7 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 version: 13 -date: '2026-03-24' +date: '2026-03-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -60,6 +60,7 @@ tags: - ShrinkLocker - 0bj3ctivity Stealer - MuddyWater + - Axios Supply Chain Post Compromise asset_type: Endpoint mitre_attack_id: - T1055 diff --git a/stories/axios_supply_chain_post_compromise.yml b/stories/axios_supply_chain_post_compromise.yml new file mode 100644 index 0000000000..6f6ae1bfe9 --- /dev/null +++ b/stories/axios_supply_chain_post_compromise.yml @@ -0,0 +1,38 @@ +name: Axios Supply Chain Post Compromise +id: 2b1b0e8f-8674-4544-a209-a52e1ea4c2da +version: 1 +date: '2026-03-31' +author: Teoderick Contreras, Splunk +status: production +description: |- + Leverage searches that help you detect and investigate post-compromise activity that may + follow installation of compromised axios npm releases (notably axios@1.14.1 and axios@0.30.4) and the phantom dependency plain-crypto-js@4.2.1 from the March 2026 supply chain incident documented by Huntress, Socket, Step Security, and others. + + The backdoored packages used a malicious postinstall script to drop a cross-platform remote access trojan with Windows, macOS, and Linux payloads, process staging, and command-and-control beaconing. Use these analytics alongside dependency audits and EDR data to scope impact, prioritize containment, and support recovery on hosts that resolved the malicious versions during the exposure window. +narrative: |- + On March 31, 2026, attackers compromised the npm account of the lead axios maintainer and published two trojanized releases: axios@1.14.1 (tagged latest) and axios@0.30.4 (tagged legacy). + + The packages introduced a dependency that legitimate axios never used—plain-crypto-js@4.2.1—whose sole purpose was to run a postinstall script that downloaded and executed a cross-platform RAT. + + axios is one of the most widely used JavaScript HTTP clients, so CI/CD jobs, developer workstations, and applications that ran npm install during the roughly three-hour window could have pulled the malicious builds automatically, especially where semver caret ranges allowed the new versions to resolve without a locked lockfile. + + Infection required no end-user action: installing dependencies was enough to trigger the dropper. Reporting from Huntress and the community noted infections beginning within minutes of publication, consistent with automated pipelines and local installs resolving ^1.x or similar ranges. + + The dropper used obfuscation and post-execution cleanup (for example, replacing package metadata so the plain-crypto-js folder looked benign), which makes disk evidence easy to miss and raises the value of process, script, and network telemetry for confirming compromise on a host. + + After the initial drop, platform-specific tradecraft unfolded—such as staging scripts under temp paths, abusing trusted interpreters, and beaconing to remote infrastructure. These behaviors are the post-compromise phase this story emphasizes: moving from a poisoned package install to hands-on access, reconnaissance, and persistence-style activity on Windows, macOS, or Linux endpoints. Detections aligned to this narrative help teams find execution chains that may not explicitly mention axios or npm in every event. + + Organizations should treat any system that installed the known bad versions during the incident window as potentially breached: validate lockfiles and SBOMs, rotate credentials and tokens that could have been exposed on those machines, and hunt using the bundled analytics plus C2 and IOC lists from vendor advisories. Pairing these searches with asset and dependency inventory reduces blind spots where transitive JavaScript dependencies updated in the background. +references: + - https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package + - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html + - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan + - https://socket.dev/blog/axios-npm-package-compromised +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection