Supply Chain Compromise of axios npm Package
Contents
Note: This Rapid Response article has been written with AI assistance.
Acknowledgments: Special thanks to Jevon Ang, Michael Elford, Jordan Sexton, Armelle French, Stephanie Fairless, Juzzy Allen, Ryan Dowd, Chad Hudson, Lindon Wass, James Maclachlan, James Northey, Josh Kiriakoff, Jai Minton, and Max Rogers for their contributions to this investigation and response.
UPDATE @ 3/31 at 6:30pm ET
Since publishing our analysis last night, Huntress has continued to monitor the axios supply chain compromise.
The Huntress SOC has seen further indicators on systems, including a system.bat script with a user-run key on a system called Microsoft Update, similar to the one seen in the axios compromise, which instead contacts calltan[.]com. This happens to pre-date the axios compromise, and the exact date of creation is unknown, but it shares a similar theme to another domain linked to this compromise callnrwise[.]com. Notably, the calltan[.]com domain has been linked back to a binary recently used by DPRK …
Acknowledgments: Special thanks to Jevon Ang, Michael Elford, Jordan Sexton, Armelle French, Stephanie Fairless, Juzzy Allen, Ryan Dowd, Chad Hudson, Lindon Wass, James Maclachlan, James Northey, Josh Kiriakoff, Jai Minton, and Max Rogers for their contributions to this investigation and response.
UPDATE @ 3/31 at 6:30pm ET
Since publishing our analysis last night, Huntress has continued to monitor the axios supply chain compromise.
The Huntress SOC has seen further indicators on systems, including a system.bat script with a user-run key on a system called Microsoft Update, similar to the one seen in the axios compromise, which instead contacts calltan[.]com. This happens to pre-date the axios compromise, and the exact date of creation is unknown, but it shares a similar theme to another domain linked to this compromise callnrwise[.]com. Notably, the calltan[.]com domain has been linked back to a binary recently used by DPRK …
IoC
http://packages.npm.org/product0
http://sfrclak.com:8000
http://callnrwise.com
http://sfrclak.com:8000/6202033
https://gist.github.com/JohnHammond/df0e06df00e993e7917436d0f73df626
http://packages.npm.org/product1
https://gist.github.com/JohnHammond/96575799bd87ae64cddbc55634a6d32d
http://calltan.com
http://sfrclak.com
http://proton.me
http://packages.npm.org/product2
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
96575799bd87ae64cddbc55634a6d32d
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
df0e06df00e993e7917436d0f73df626
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://sfrclak.com:8000
http://callnrwise.com
http://sfrclak.com:8000/6202033
https://gist.github.com/JohnHammond/df0e06df00e993e7917436d0f73df626
http://packages.npm.org/product1
https://gist.github.com/JohnHammond/96575799bd87ae64cddbc55634a6d32d
http://calltan.com
http://sfrclak.com
http://proton.me
http://packages.npm.org/product2
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
96575799bd87ae64cddbc55634a6d32d
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
df0e06df00e993e7917436d0f73df626
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a