Chain Reaction

In this room, you'll unwrap a sophisticated supply chain attack on Axios, one of the most popular JavaScript libraries with over 80 million (opens in new tab) weekly downloads. We will skip the full incident breakdown and focus on the most interesting attack techniques and detection opportunities unique to the case. In the final task, you'll also put your skills to the test in a challenge that closely mirrors the real Axios supply chain attack on a Linux workstation.

• Task 2: Conceptual attack details and interesting observations
• Task 3: Cheat sheet for the challenge; skip it if you don't want any hints
• Task 4: The threat hunting challenge that closely mirrors the Axios attack

To better understand the tasks, you are encouraged to read the threat reports first:

• Mandiant Threat Report (opens in new tab)
• Combined Report (Gist) (opens in new tab)

Incident Overview

On March 31, 2026, two malicious versions of Axios, 1.14.1 and 0.30.4, were published to the npm package registry and injected with a malicious dependency that downloaded a second-stage RAT on both Windows, MacOS, and Linux systems. Security vendors attribute the attack to one of North Korea's financially motivated state actors, such as UNC1069 (opens in new tab). Below you can see a summarized incident timeline:

The next paragraphs highlight some of the most interesting attack phases and observations.

(1) Social Engineering

The compromise began (opens in new tab) with a social engineering attack on the Axios maintainer, jasonsaayman. Attackers posed as a trusted company and invited him into a corporate Slack channel. After gaining his trust, they sent a fake Microsoft Teams meeting link and used a ClickFix (opens in new tab) approach, displaying a fake system error with instructions to "fix" it by entering malicious OS commands. Following those instructions, jasonsaayman silently installed a data stealer, which harvested his npm access token.

This is a good indicator of how complex targeted attacks have become, as the adversaries would have to:

• Research the interests and relations of the Axios maintainer
• Create a convincing company profile and social media presence
• Work as a group to make the Slack workspace appear legitimate
• Build the appropriate ClickFix infrastructure

(4) Dependency Injection

You might wonder why the attackers didn't just backdoor the Axios source code directly; why go through the trouble of creating a fake dependency and triggering it with a postinstall hook? There are at least two reasons:

1. To make the attack payload more modular and easier to modify and/or self-destruct after execution
2. To draw less attention, as the Axios source code is more likely to be monitored than its dependencies

(Image template credit: XKCD (opens in new tab))

(6) Unsophisticated RATs

The initial attack stages are fairly sophisticated, with significant effort spent on building trust during social engineering, developing attack infrastructure, and obfuscating the JavaScript payload. On the other hand, the final stage is much easier to detect and analyze. For example:

• The Linux RAT (opens in new tab) is a simple Python script that does not persist on the system
• The Windows RAT (opens in new tab) is a PowerShell script persisting via the Run registry key
• The MacOS RAT (opens in new tab) is a non-stripped binary, trivial to reverse engineer
• The C2 communicates over HTTP to a hardcoded URL (hxxp://sfrclak[.]com:8000/6202033)
• The code contains multiple bugs and grammatical mistakes across all platforms. For example:

This pattern shows up in many recent attacks. Once the initial stage succeeds without triggering any security controls, attackers assume the defenses weren't there, and the hard part is over. Therefore, they stop putting effort into hiding what comes next: the minimally needed C2 infrastructure to steal the data and gain remote control over the victims.

Incident Impact

Between ~00:21 and ~03:15 UTC, anyone who updated Axios to the latest version received a RAT alongside it: students learning JavaScript, independent developers, and big organizations using Axios in corporate applications. There are no public records of which companies were compromised, but the full attack impact may not be felt for some time:

• The credentials stolen by RAT may be placed in Darknet markets and bought by other threat actors
• The infected devices may be used to attack internal networks months after the Axios supply chain

Challenge Cheat Sheet

You should be able to complete the challenge using basic prebuilt tools and methodologies. However, you are encouraged to apply the unique logs and techniques described below to gain additional context and learn something new. Please note that the information provided may serve as a mini write-up. If you want to have a purely challenging experience, consider skipping this task for later.

Detecting Postinst With Logs

During npm supply chain attacks, it's often difficult to identify which of hundreds of dependencies caused the infection, or when and how they were installed. Fortunately, npm logs the output of every command, such as npm update or npm install, to per-command ~/.npm/_logs/*.log files. The example below shows evidence of an npm update command that pulled in axios@1.14.1, which in turn installed plain-crypto-js@4.2.1 and its malicious postinstall script (line 22):

           user@infected-pc$ cat ~/.npm/_logs/2026-04-01T18_30_45_000Z-debug-0.log
1 info using npm@11.11.0
2 info using node@v24.14.1
7 verbose title npm update
8 verbose argv "update"
14 silly fetch manifest axios@1.14.1
16 silly fetch manifest plain-crypto-js@4.2.1
22 info run plain-crypto-js@4.2.1 postinstall node_modules/plain-crypto-js node setup.js
25 info run plain-crypto-js@4.2.1 postinstall { code: 0, signal: null }
26 silly CHANGE node_modules/axios
27 silly ADD node_modules/plain-crypto-js
29 verbose os Linux 6.17.0-1010-aws
33 info ok
        

Deobfuscating JavaScript

In this and other attacks involving JavaScript, you often deal with heavily obfuscated code that takes much time to understand. However, it's usually possible to uncover the main keywords in minutes using browser DevTools or a local Node.js installation. For example, imagine you have a payload with a function called _entry, and you want to get the values of its s and F variables.

You don't need to fully understand the obfuscation, just comment out the final function call and add print statements (console.log) for any variables that look interesting. JavaScript will do the deobfuscation work for you. Just be careful not to execute anything that could cause harm; ensure to strip any dangerous functions like fetch or exec:

Sniffing C2 Traffic

Lastly, the second-stage payload communicates over plain HTTP, which means traffic can be intercepted and inspected with Wireshark. For this attack, it's not really necessary, since the C2 behavior is already readable directly from the RAT's source code. However, it's a useful technique for more complex scenarios where source code isn't available or you can only investigate C2 behavior from the corporate firewall.

Chain Reaction

The TryHackMe SOC team has just received a threat report flagging a supply chain attack targeting the Axios npm library. The team has begun hunting across developer workstations, and one employee stands out in the initial sweep: Richard Lee, a junior developer working on a new blog redesign who recently started learning Axios. Your job is to verify whether his Ubuntu laptop (lpt-18092) was infected before the attackers make their next move. Good luck!

Machine Access

Before moving forward, start the lab by clicking the Start Machine button below. The machine will start in split view and will take about two minutes to load. In case the machine is not visible, you can click the Show Split View button at the top of the task. Feel free to test any code you find on the VM and use any tools available to investigate host behavior.