AI Supply Chain Attack · AI Security & Automation

AI Supply Chain Attack

If you are using Claude Code, Codex, Gemini or any other tool for coding on your desktop, you might want to pay attention to this.

https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html

https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package

https://www.sophos.com/en-us/blog/axios-npm-package-compromised-to-deploy-malware

I have just woke up, but apparently there has been huge supply chain attack. At the moment I'm working on threat hunting. Here is the KQL hunt query. Might be useful to someone.

let TimePeriod = 3d;

// Hash IOCs

let AxiosIOCMD5 = dynamic([

"21d2470cae072cf2d027d473d168158c",

"db7f4c82c732e8b107492cae419740ab",

"7658962ae060a222c0058cd4e979bfa1",

"089e2872016f75a5223b5e02c184dfec",

"04e3073b3cd5c5bfcde6f575ecf6e8c1",

"7a9ddef00f69477b96252ca234fcbeeb",

"9663665850cdd8fe12e30a671e5c4e6f",

"8c782b59a786f18520673e8d669e3b0a"

]);

let AxiosIOCSHA1 = dynamic([

"2553649f2322049666871cea80a5d0d6adc700ca",

"d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71",

"07d889e2dadce6f3910dcbc253317d28ca61c766",

"b0e0f12f1be57dc67fa375e860cedd19553c464d",

"978407431d75885228e0776913543992a9eb7cc4",

"a90c26e7cbb3440ac1cad75cf351cbedef7744a8",

"13ab317c5dcab9af2d1bdb22118b9f09f8a4038e",

"59faac136680104948e083b3b67a70af9bfa5d5e",

"ae39c4c550ad656622736134035f17ca7a66a742"

]);

let AxiosIOCSHA256 = dynamic([

"5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd",

"59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f",

"58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668",

"e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09",

"f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd",

"617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101",

"92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a",

"fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf",

"e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff"

]);

// Network / string IOCs

let AxiosIOCIPs = dynamic([

"142.11.206.73"

]);

let AxiosIOCDomains = dynamic([

"sfrclak.com",

"callnrwise.com"

]);

let AxiosIOCUrls = dynamic([

"http://sfrclak.com:8000/6202033"

]);

let AxiosIOCEmails = dynamic([

"[email protected]",

"[email protected]"

]);

let AxiosIOCPaths = dynamic([

@"C:\ProgramData\wt.exe",

@"C:\ProgramData\system.bat"

]);

// File hash hits

let FileHashScan =

DeviceFileEvents

| where TimeGenerated > ago(TimePeriod)

| where MD5 in~ (AxiosIOCMD5)

or SHA1 in~ (AxiosIOCSHA1)

or SHA256 in~ (AxiosIOCSHA256)

| extend IOCType = "File Hash Match",

MatchedIOC = case(

MD5 in~ (AxiosIOCMD5), MD5,

SHA1 in~ (AxiosIOCSHA1), SHA1,

SHA256 in~ (AxiosIOCSHA256), SHA256,

"Unknown"

);

// Network hits

let NetworkScan =

DeviceNetworkEvents

| where TimeGenerated > ago(TimePeriod)

| where RemoteIP in~ (AxiosIOCIPs)

or RemoteUrl has_any (AxiosIOCDomains)

or RemoteUrl in~ (AxiosIOCUrls)

or InitiatingProcessCommandLine has_any (AxiosIOCDomains)

or InitiatingProcessCommandLine has_any (AxiosIOCUrls)

or InitiatingProcessCommandLine has_any (AxiosIOCEmails)

| extend IOCType = "Network IOC Match",

MatchedIOC = case(

RemoteIP in~ (AxiosIOCIPs), RemoteIP,

RemoteUrl in~ (AxiosIOCUrls), RemoteUrl,

RemoteUrl has "sfrclak.com", "sfrclak.com",

RemoteUrl has "callnrwise.com", "callnrwise.com",

InitiatingProcessCommandLine has "http://sfrclak.com:8000/6202033", "http://sfrclak.com:8000/6202033",

InitiatingProcessCommandLine has "sfrclak.com", "sfrclak.com",

InitiatingProcessCommandLine has "callnrwise.com", "callnrwise.com",

InitiatingProcessCommandLine has "[email protected]", "[email protected]",

"Unknown"

);

// File path / command-line / persistence hits

let ProcessAndPathScan =

DeviceProcessEvents

| where TimeGenerated > ago(TimePeriod)

| where FolderPath in~ (AxiosIOCPaths)

or ProcessCommandLine has_any (AxiosIOCPaths)

or ProcessCommandLine has_any (AxiosIOCDomains)

or ProcessCommandLine has_any (AxiosIOCUrls)

or ProcessCommandLine has_any (AxiosIOCEmails)

| extend IOCType = "Process/Path IOC Match",

MatchedIOC = case(

FolderPath in~ (AxiosIOCPaths), FolderPath,

ProcessCommandLine has @"C:\ProgramData\wt.exe", @"C:\ProgramData\wt.exe",

ProcessCommandLine has @"C:\ProgramData\system.bat", @"C:\ProgramData\system.bat",

ProcessCommandLine has "http://sfrclak.com:8000/6202033", "http://sfrclak.com:8000/6202033",

ProcessCommandLine has "sfrclak.com", "sfrclak.com",

ProcessCommandLine has "callnrwise.com", "callnrwise.com",

ProcessCommandLine has "[email protected]", "[email protected]",

"Unknown"

);

// Optional: registry persistence checks

let RegistryScan =

DeviceRegistryEvents

| where TimeGenerated > ago(TimePeriod)

| where RegistryValueData has_any (AxiosIOCPaths)

or RegistryValueData has_any (AxiosIOCDomains)

or RegistryValueData has_any (AxiosIOCUrls)

or RegistryValueData has_any (AxiosIOCEmails)

| extend IOCType = "Registry IOC Match",

MatchedIOC = case(

RegistryValueData has @"C:\ProgramData\wt.exe", @"C:\ProgramData\wt.exe",

RegistryValueData has @"C:\ProgramData\system.bat", @"C:\ProgramData\system.bat",

RegistryValueData has "http://sfrclak.com:8000/6202033", "http://sfrclak.com:8000/6202033",

RegistryValueData has "sfrclak.com", "sfrclak.com",

RegistryValueData has "callnrwise.com", "callnrwise.com",

RegistryValueData has "[email protected]", "[email protected]",

"Unknown"

);

union FileHashScan, NetworkScan, ProcessAndPathScan, RegistryScan

| sort by TimeGenerated desc

0 comments

AI Security & Automation

skool.com/cloud-ai-security-academy-4626

Learn AI, automation and security tools reshaping modern SOC and cyber careers.

Day by Day Wellness Club

The Acting Lab

Mikey's Money House

Bring people together around your passion and get paid.