SIGS: PoC for Axios NPM package supply chain compromise

Rule Signatures
, ,
1

Signature proposal based on the following research One of the most popular JavaScript packages on earth Axios has been compromised | OpenSourceMalware (disclaimer: i’m not the author).

NOTE: Signature SIDs need proper adjustments.

alert dns $HOME_NET any -> any any (msg:"ET MALWARE plain-crypto-js RAT C2 Domain in DNS Lookup (sfrclak .com)"; \
    dns.query; bsize:11; \
    content:"sfrclak.com"; nocase; \
    reference:url,opensourcemalware.com/blog/axios-compromised; \
    classtype:trojan-activity; \
    sid:1000000; rev:1; \
    metadata: \
        created_at 2026_03_31, \
        deployment Perimeter, \
        performance_impact Low, \
        confidence High, \
        signature_severity Major;)

alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE plain-crypto-js RAT C2 Beacon (FirstInfo/BaseInfo)"; \
  flow:established,to_server; \
  http.method; content:"POST"; \
  http.host; content:"sfrclak.com"; \
  http.user_agent; content:"mozilla/4.0 (compatible|3B| msie 8.0|3B| windows nt 5.1|3B| trident/4.0)"; fast_pattern; \
  http.uri; pcre:"/\/[0-9]+/"; \
  reference:url,opensourcemalware.com/blog/axios-compromised; \
  classtype:trojan-activity; \
  metadata: \
    created_at 2026_03_31, \
    tls_state plaintext, \
    confidence High, \
    deployment Perimeter, \
    signature_severity Major; \
  sid:1000001; rev:1;)


alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE plain-crypto-js Stage 2 RAT Download"; \
  flow:established,to_server; \
  http.method; content:"POST"; \
  http.user_agent; content:"mozilla/4.0 (compatible|3B| msie 8.0|3B| windows nt 5.1|3B| trident/4.0)"; fast_pattern; \
  http.uri; pcre:"/\/[0-9]+/"; \
  http.request_body; content:"packages.npm.org/product"; \
  reference:url,opensourcemalware.com/blog/axios-compromised; \
  classtype:trojan-activity; \
  metadata: \
    created_at 2026_03_31, \
    tls_state plaintext, \
    confidence High, \
    deployment Perimeter, \
    signature_severity Major; \
  sid:1000002; rev:1;)


alert http $HOME_NET any -> [142.11.206.73] 8000 (msg:"ET HUNTING plain-crypto-js RAT C2 IP/User-Agent Match"; \
  flow:established,to_server; \
  http.method; content:"POST"; \
  http.user_agent; content:"mozilla/4.0 (compatible|3B| msie 8.0|3B| windows nt 5.1|3B| trident/4.0)"; fast_pattern; \
  http.uri; pcre:"/\/[0-9]+/"; \
  reference:url,opensourcemalware.com/blog/axios-compromised; \
  classtype:trojan-activity; \
  metadata: \
    created_at 2026_03_31, \
    tls_state plaintext, \
    confidence Medium, \
    deployment Perimeter, \
    signature_severity Major; \
  sid:100003; rev:1;)
1 Like
2

Hi @n0pth, thanks for sharing. I will take a look and report back once we have the rules ready for release.

2 Likes