Sixteen Packages, Eight Payloads, Two Sock Puppets
A malicious npm package strapi-plugin-events was published on April 3, 2026, masquerading as a legitimate Strapi CMS plugin. It was pushed by the sock-puppet account umarbek1233, registered with a @sharebot.net disposable email address. The package carries a sophisticated multi-phase payload including Redis remote code execution, database credential theft, and command and control capabilities.
This incident lands just three days after a far larger supply chain compromise hit the npm ecosystem. On March 31, the North Korea-nexus threat actor UNC1069 compromised the widely used axios package (versions 1.14.1 and 0.30.4), injecting a malicious dependency called plain-crypto-js that deployed the cross-platform WAVESHAPER.V2 backdoor [1].
npm Supply Chain Attacks Are Accelerating
The npm ecosystem has experienced a steady escalation of supply chain compromises over the past year.
The Axios Compromise (March 31, 2026)
Just three days before this incident, UNC1069 injected the malicious plain-crypto-js dependency into axios versions 1.14.1 and 0.30.4 during a narrow window between 00:21 and 03:29 UTC on March 31 [1]. The payload, SILKBELL (a JavaScript dropper in setup.js), deployed WAVESHAPER.V2 across Windows, macOS, and Linux using platform-specific paths [1]. Axios has millions of weekly downloads, making even a three-hour compromise window enormously impactful.
The Shai-Hulud Worm (September 2025)
The Shai-Hulud worm was first detected on September 15, 2025, with patient zero identified as rxnt-authentication version 0.0.3, published September 14, 2025 [7]. The worm propagated automatically via an updatePackage function and weaponized the legitimate TruffleHog secret-scanning tool to harvest credentials from local filesystems. By the time Shai-Hulud 2.0 was contained, it had affected over 25,000 GitHub repositories across 350 users [6]. Compromised packages included high-profile targets: ngx-bootstrap (300K weekly downloads), ng2-file-upload (100K weekly downloads), and @ctrl/tinycolor (2.2M weekly downloads) [7]. CISA issued a formal alert recommending organizations immediately rotate all developer credentials and block outbound connections to webhook.site domains [2].
The PhantomRaven Campaign
The PhantomRaven operation flooded npm with 126 malicious packages that accumulated over 86,000 downloads [4]. The campaign pioneered a technique called Remote Dynamic Dependencies, where the actual malicious payload lives on the attacker's server (specifically packages.storeartifact.com) rather than in the npm registry itself [4]. This makes static analysis of the published package ineffective. Stolen credentials, particularly GitHub tokens and CI/CD secrets, were exfiltrated via jpd.php on the attacker-controlled domain.
The Common Thread
All of these campaigns exploit the same fundamental trust relationship: developers install packages and execute arbitrary code during install hooks (postinstall, preinstall) without meaningful review.
IOC Table
The following IOCs are drawn from the broader npm supply chain context. Defenders should monitor for these alongside any indicators specific to malicious Strapi packages.
| Type | Value | Context | Source |
|---|---|---|---|
| domain | sfrclak.com |
WAVESHAPER.V2 C2 domain | [1] |
| ip | 142.11.206.73 |
WAVESHAPER.V2 C2 IP | [1] |
| malware | plain-crypto-js |
Malicious dependency injected into axios | [1] |
| malware | WAVESHAPER.V2 |
Cross-platform backdoor (UNC1069) | [1] |
| malware | SILKBELL |
JavaScript dropper (setup.js) | [1] |
| filename | setup.js |
SILKBELL dropper via postinstall hook | [1] |
| filename | /Library/Caches/com.apple.act.mond |
macOS payload path | [1] |
| filename | /tmp/ld.py |
Linux payload path | [1] |
| filename | %PROGRAMDATA%\wt |
Windows payload path | [1] |
| filename | %TEMP%\6202033.vbs |
Windows VBScript execution path | [1] |
| filename | %TEMP%\6202033.ps1 |
Windows PowerShell execution path | [1] |
| domain | webhook.site |
Shai-Hulud exfiltration domain | [2] |
| domain | npmjs.help |
Phishing domain impersonating npm | [2] |
| filename | shai-hulud-workflow.yml |
Malicious GitHub Actions workflow | [6] |
| filename | bundle.js |
Malicious payload via postinstall | [6] |
| filename | setup_bun.js |
Shai-Hulud 2.0 credential harvester | [6] |
| filename | bun_environment.js |
Shai-Hulud 2.0 env scanner | [6] |
| domain | packages.storeartifact.com |
PhantomRaven payload hosting | [4] |
| url | jpd.php |
PhantomRaven exfiltration path | [4] |
| malware | rxnt-authentication |
Shai-Hulud patient zero (v0.0.3) | [7] |
| account | umarbek1233 |
Sock puppet, strapi-plugin-events | N/A |
MITRE ATT&CK Mapping
| Technique ID | Name | Relevance |
|---|---|---|
| T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | All campaigns discussed exploit npm package trust [1][2][4][7] |
| T1059.007 | Command and Scripting Interpreter: JavaScript | Malicious postinstall hooks execute JS payloads [1][6] |
| T1059.001 | Command and Scripting Interpreter: PowerShell | WAVESHAPER.V2 uses PowerShell on Windows [1] |
| T1552.001 | Unsecured Credentials: Credentials In Files | PhantomRaven targets .npmrc tokens; Shai-Hulud scans for secrets [4][6] |
| T1071.001 | Application Layer Protocol: Web Protocols | C2 and exfiltration over HTTP/HTTPS across campaigns [1][2][4] |
| T1041 | Exfiltration Over C2 Channel | WAVESHAPER.V2 exfils over its C2 channel [1] |
| T1020 | Automated Exfiltration | Shai-Hulud automates secret exfiltration to public repos [6] |
| T1027 | Obfuscated Files or Information | PhantomRaven hides payloads via Remote Dynamic Dependencies [4] |
| T1543.004 | Create or Modify System Process: Launch Daemon | WAVESHAPER.V2 persistence on macOS [1] |
| T1078.004 | Valid Accounts: Cloud Accounts | Stolen CI/CD tokens enable downstream compromise [6] |
Detection and Hunting
Package audit. Verify installed packages against known malicious names. Check for the sock-puppet account umarbek1233 as publisher of any installed dependency.
Install hook monitoring. Monitor for unexpected process execution during npm install. The postinstall and preinstall hooks are the primary execution vector across all campaigns discussed here [1][6][7]. Tools like npm-audit-resolver or Socket.dev can flag packages with install scripts.
Network indicators. Block and alert on outbound connections to webhook.site, npmjs.help, sfrclak.com, and packages.storeartifact.com [1][2][4]. Monitor DNS logs for resolution of these domains.
Redis access anomalies. Hunt for unusual Redis command patterns, particularly CONFIG SET and SLAVEOF commands issued by Node.js processes.
Environment variable access. Several payload variants harvest environment variables. Monitor for processes reading .env files, .npmrc, or cloud credential files (cloud.json, environment.json) outside normal application behavior.
GitHub Actions audit. For organizations using GitHub, search for unexpected workflow files: shai-hulud-workflow.yml and discussion.yaml are known malicious workflow names [6]. Review repository descriptions for the string "Sha1-Hulud: The Second Coming" [6].
Analysis
The timing of this incident, three days after the axios compromise, is notable from a defender's perspective. Security teams focused on validating their axios dependencies may not be watching for new malicious packages from unknown publishers. Whether this is coincidence or deliberate timing to exploit distraction is unclear.
Red Sheep Assessment
Confidence: Low
While one malicious strapi-plugin-events package was confirmed, the broader campaign described (16 packages, 8 payload variants) could not be independently verified. The single package found does demonstrate sophisticated capabilities including multi-phase data exfiltration and C2 functionality.
The contrarian read: this could represent early reconnaissance or testing before a broader campaign. The functional Strapi plugin code and sophisticated payload suggest capability for a larger operation. However, without evidence of the additional 15 packages, we cannot confirm the scale claimed.
The use of disposable @sharebot.net emails suggests moderate operational security awareness but not high sophistication. The account will likely be burned quickly. The operator appears to be optimizing for short-term access, not persistence in the npm registry.
Defender's Checklist
- ▢[ ] Audit for strapi-plugin-events and any packages published by umarbek1233. Query:
npm ls | grep -E 'strapi-plugin-events|umarbek1233' - ▢[ ] Block C2 domains at the network edge:
sfrclak.com,webhook.site,packages.storeartifact.com,npmjs.help[1][2][4] - ▢[ ] Pin axios to known-good versions (not 1.14.1 or 0.30.4) and verify
plain-crypto-jsis not present in your dependency tree [1] - ▢[ ] Review Redis access logs for anomalous commands from Node.js application processes, particularly
CONFIG,SLAVEOF, andMODULE LOAD - ▢[ ] Implement npm install hook restrictions via
.npmrcwithignore-scripts=truefor CI/CD pipelines, selectively enabling scripts only for verified packages
References
- North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack, Google Cloud Blog
- Widespread Supply Chain Compromise Impacting npm Ecosystem, CISA
- Malicious NPM Packages Contain Invisible Dependencies, Dark Reading
- Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack, Unit 42
- Shai-Hulud npm supply chain attack: What you need to know, ReversingLabs
Visual Intelligence
Timeline (5 events)
Entity Graph (8 entities, 9 relationships)
Diamond Model
---
Hunt Guide: Hunt Report: npm Supply Chain Compromise Campaign - Malicious Strapi Packages
Hypothesis: If threat actors are conducting npm supply chain attacks targeting our development infrastructure, we expect to observe malicious package installations, suspicious postinstall hook executions, and C2 communications to known malicious domains in our endpoint, network, and CI/CD pipeline logs.
Intelligence Summary: A malicious npm package 'strapi-plugin-events' was published on April 3, 2026 by sock-puppet account 'umarbek1233', containing sophisticated multi-phase payloads including Redis RCE, database credential theft, and C2 capabilities. This incident follows the high-profile axios compromise by North Korea-nexus UNC1069 on March 31, 2026, suggesting potential campaign coordination or opportunistic timing.
Confidence: Moderate | Priority: High
Scope
- Networks: All development environments, CI/CD infrastructure, and systems with npm/node.js installed
- Timeframe: Focus on March 31, 2026 - Present (axios compromise onwards), with retrospective analysis back to September 2025 for Shai-Hulud indicators
- Priority Systems: CI/CD servers, developer workstations, build agents, artifact repositories, systems with access to production credentials
MITRE ATT&CK Techniques
T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain (Initial Access) [P1]
Threat actors publish malicious npm packages or compromise legitimate ones, exploiting developer trust during package installation
Splunk SPL:
index=* sourcetype=osquery:results OR sourcetype=sysmon EventCode=1 (CommandLine="*npm install*" OR CommandLine="*npm i*" OR CommandLine="*yarn add*") | eval suspicious_package=if(match(CommandLine, "(strapi-plugin-events|plain-crypto-js|rxnt-authentication)"), "TRUE", "FALSE") | search suspicious_package="TRUE" | stats count by host, CommandLine, User | sort -countElastic KQL:
event.category:process AND process.command_line:("npm install" OR "npm i" OR "yarn add") AND process.command_line:("strapi-plugin-events" OR "plain-crypto-js" OR "rxnt-authentication" OR "umarbek1233")Sigma Rule:
title: Suspicious npm Package Installation
id: a7b3c4d2-8f9e-4a56-b123-456789abcdef
status: experimental
description: Detects installation of known malicious npm packages
references:
- Internal Threat Intelligence
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'npm install'
- 'npm i'
- 'yarn add'
suspicious_packages:
CommandLine|contains:
- 'strapi-plugin-events'
- 'plain-crypto-js'
- 'rxnt-authentication'
- 'umarbek1233'
condition: selection and suspicious_packages
falsepositives:
- Unknown
level: high
tags:
- attack.initial_access
- attack.t1195.002Monitor for package installations during off-hours. Check package.json changes in version control for unexpected dependencies.
T1059.007 — Command and Scripting Interpreter: JavaScript (Execution) [P1]
Malicious postinstall and preinstall hooks execute JavaScript payloads during npm package installation
Splunk SPL:
index=* sourcetype=sysmon EventCode=1 (Image="*node.exe" OR Image="*node") ParentImage="*npm*" | eval postinstall_exec=if(match(CommandLine, "(postinstall|preinstall|install)"), "TRUE", "FALSE") | where postinstall_exec="TRUE" | rex field=CommandLine "(?<script_name>[\w\-\.]+\.js)" | stats count by host, ParentCommandLine, CommandLine, script_name, User | sort -countElastic KQL:
event.code:1 AND process.name:("node.exe" OR "node") AND process.parent.name:"npm*" AND process.command_line:("postinstall" OR "preinstall" OR "setup.js" OR "bundle.js")Sigma Rule:
title: Suspicious npm Hook Script Execution
id: b8c5d3e1-9f7a-5b67-c234-567890bcdefg
status: experimental
description: Detects execution of JavaScript files during npm install hooks
logsource:
product: linux
service: sysmon
detection:
selection:
EventID: 1
Image|endswith:
- '/node'
- 'node.exe'
ParentImage|contains: 'npm'
suspicious_scripts:
CommandLine|contains:
- 'setup.js'
- 'bundle.js'
- 'setup_bun.js'
- 'bun_environment.js'
condition: selection and suspicious_scripts
level: highFocus on scripts executing from /tmp, node_modules directories, or containing base64/obfuscated content
T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]
Malicious packages communicate with C2 servers and exfiltrate data over HTTP/HTTPS
Splunk SPL:
index=* sourcetype=stream:http OR sourcetype=bro:http:log OR sourcetype=zeek:http:log dest IN ("sfrclak.com", "142.11.206.73", "webhook.site", "packages.storeartifact.com", "npmjs.help") | eval process_context=coalesce(process_name, app, "") | search process_context="*node*" OR uri_path="*jpd.php*" | stats count by src, dest, uri_path, method, status_code, bytes_out | sort -bytes_outElastic KQL:
(destination.domain:("sfrclak.com" OR "webhook.site" OR "packages.storeartifact.com" OR "npmjs.help") OR destination.ip:"142.11.206.73") AND (process.name:"node*" OR url.path:"*jpd.php")Sigma Rule:
title: npm Malware C2 Communication
id: c9d6e4f2-0g8b-6c78-d345-678901cdefgh
status: stable
description: Detects network connections to known npm supply chain attack C2 infrastructure
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\node.exe'
- '\npm.cmd'
- '\npm.exe'
malicious_dest:
DestinationHostname:
- 'sfrclak.com'
- 'webhook.site'
- 'packages.storeartifact.com'
- 'npmjs.help'
DestinationIp: '142.11.206.73'
condition: selection and malicious_dest
level: criticalBlock these domains at firewall/proxy. Monitor for DNS queries even if connections are blocked
T1552.001 — Unsecured Credentials: Credentials In Files (Credential Access) [P2]
Malicious packages scan for and exfiltrate credentials from .npmrc, .env, and cloud configuration files
Splunk SPL:
index=* sourcetype=sysmon (EventCode=11 OR EventCode=15) (TargetFilename="*.npmrc" OR TargetFilename="*.env" OR TargetFilename="*cloud.json" OR TargetFilename="*environment.json" OR TargetFilename="*.git/config") Image="*node*" | eval cred_access=case(match(TargetFilename, "\.npmrc"), "NPM_TOKEN", match(TargetFilename, "\.env"), "ENV_VARS", match(TargetFilename, "cloud\.json"), "CLOUD_CREDS", 1=1, "OTHER") | stats count by host, Image, TargetFilename, cred_access, User | sort -countElastic KQL:
(event.code:11 OR event.code:15) AND file.path:("*.npmrc" OR "*.env" OR "*cloud.json" OR "*environment.json" OR "*.git/config") AND process.name:"node*"Baseline normal credential file access by legitimate processes. Alert on node processes accessing multiple credential files rapidly
T1059.001 — Command and Scripting Interpreter: PowerShell (Execution) [P2]
WAVESHAPER.V2 backdoor uses PowerShell for execution on Windows systems
Splunk SPL:
index=* sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104 (ScriptBlockText="*6202033.ps1*" OR ScriptBlockText="*PROGRAMDATA*" OR ScriptBlockText="*wt*") | eval suspicious_path=if(match(ScriptBlockText, "(%TEMP%|%PROGRAMDATA%|\\wt\\)"), "TRUE", "FALSE") | where suspicious_path="TRUE" | stats count by ComputerName, ScriptBlockText, UserID | head 20Elastic KQL:
event.provider:"Microsoft-Windows-PowerShell" AND event.code:4104 AND powershell.script.text:("*6202033.ps1*" OR "*PROGRAMDATA*" OR "*\\wt\\*")Monitor for PowerShell execution spawned by node.exe or npm processes
T1027 — Obfuscated Files or Information (Defense Evasion) [P2]
PhantomRaven campaign uses Remote Dynamic Dependencies to hide payloads on attacker-controlled servers
Splunk SPL:
index=* sourcetype=proxy:log OR sourcetype=stream:http url="*packages.storeartifact.com*" method=GET | rex field=url "(?<payload_file>[^/]+\.(js|json|tar\.gz))$" | eval dynamic_load=if(isnotnull(payload_file), "TRUE", "FALSE") | where dynamic_load="TRUE" | stats count by src_ip, url, payload_file, bytes_in | sort -bytes_inElastic KQL:
url.full:"*packages.storeartifact.com*" AND http.request.method:"GET" AND url.path:("*.js" OR "*.json" OR "*.tar.gz")Correlate with npm install events to identify packages loading remote code
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| domain | sfrclak.com |
WAVESHAPER.V2 C2 domain used in axios compromise |
| ip | 142.11.206.73 |
WAVESHAPER.V2 C2 IP address |
| domain | webhook.site |
Shai-Hulud worm exfiltration domain |
| domain | packages.storeartifact.com |
PhantomRaven remote payload hosting domain |
| domain | npmjs.help |
Phishing domain impersonating npm |
| filename | setup.js |
SILKBELL dropper filename executed via postinstall hook |
| filename | 6202033.ps1 |
WAVESHAPER.V2 PowerShell payload on Windows |
| filename | shai-hulud-workflow.yml |
Malicious GitHub Actions workflow file |
umarbek1233 |
Sock puppet account that published strapi-plugin-events |
IOC Sweep Queries (Splunk):
index=* (dest="sfrclak.com" OR query="sfrclak.com" OR url="*sfrclak.com*") | stats count by sourcetype, src, dest, action | sort -countindex=* (dest_ip="142.11.206.73" OR dest="142.11.206.73" OR src_ip="142.11.206.73") | stats count by sourcetype, src, dest, action, bytes_out | sort -countindex=* (dest="*webhook.site" OR query="*webhook.site" OR url="*webhook.site*") | stats count by sourcetype, src, dest, url | sort -countindex=* (dest="packages.storeartifact.com" OR query="packages.storeartifact.com" OR url="*packages.storeartifact.com*") | stats count by sourcetype, src, dest, url | sort -countindex=* (dest="npmjs.help" OR query="npmjs.help" OR url="*npmjs.help*") | stats count by sourcetype, src, dest, url | sort -countindex=* (filename="setup.js" OR file_name="setup.js" OR CommandLine="*setup.js*" OR file_path="*setup.js") | stats count by sourcetype, host, file_path, action | sort -countindex=* (filename="6202033.ps1" OR file_name="6202033.ps1" OR CommandLine="*6202033.ps1*" OR ScriptBlockText="*6202033.ps1*") | stats count by sourcetype, host, file_path | sort -countindex=* (filename="shai-hulud-workflow.yml" OR file_name="shai-hulud-workflow.yml" OR file_path="*shai-hulud-workflow.yml") | stats count by sourcetype, host, file_path, action | sort -countindex=* "umarbek1233" | stats count by sourcetype, host, _raw | sort -countYARA Rules
NPM_SupplyChain_Indicators — Detects files containing npm supply chain attack indicators
rule NPM_SupplyChain_Indicators {
meta:
description = "Detects npm supply chain attack indicators"
author = "Threat Hunt Team"
date = "2024-01-01"
severity = "high"
strings:
$npm1 = "plain-crypto-js" ascii
$npm2 = "strapi-plugin-events" ascii
$npm3 = "rxnt-authentication" ascii
$npm4 = "umarbek1233" ascii
$dropper1 = "setup.js" ascii
$dropper2 = "bundle.js" ascii
$dropper3 = "setup_bun.js" ascii
$c2_1 = "sfrclak.com" ascii
$c2_2 = "webhook.site" ascii
$c2_3 = "packages.storeartifact.com" ascii
$c2_4 = "npmjs.help" ascii
$path1 = "/Library/Caches/com.apple.act.mond" ascii
$path2 = "%PROGRAMDATA%\\wt" ascii
$path3 = "6202033.ps1" ascii
$path4 = "6202033.vbs" ascii
condition:
any of ($npm*) or
any of ($dropper*) or
any of ($c2_*) or
2 of ($path*)
}WAVESHAPER_V2_Backdoor — Detects WAVESHAPER.V2 backdoor components
rule WAVESHAPER_V2_Backdoor {
meta:
description = "Detects WAVESHAPER.V2 cross-platform backdoor"
author = "Threat Hunt Team"
date = "2024-01-01"
threat_actor = "UNC1069"
strings:
$hex_ip = { 8E 0B CE 49 } // 142.11.206.73 in hex
$win_path = "%PROGRAMDATA%\\wt" ascii wide
$mac_path = "/Library/Caches/com.apple.act.mond" ascii
$linux_path = "/tmp/ld.py" ascii
$silkbell = "SILKBELL" ascii nocase
$waveshaper = "WAVESHAPER" ascii nocase
$vbs_exec = { 25 54 45 4D 50 25 5C 36 32 30 32 30 33 33 2E 76 62 73 } // %TEMP%\6202033.vbs
$ps_exec = { 25 54 45 4D 50 25 5C 36 32 30 32 30 33 33 2E 70 73 31 } // %TEMP%\6202033.ps1
condition:
$hex_ip or
(any of ($win_path, $mac_path, $linux_path) and any of ($vbs_exec, $ps_exec)) or
(any of ($silkbell, $waveshaper) and any of ($win_path, $mac_path, $linux_path))
}Suricata Rules
SID 3100001 — Detects traffic to WAVESHAPER.V2 C2 domain sfrclak.com
alert dns $HOME_NET any -> any any (msg:"ET TROJAN WAVESHAPER.V2 DNS Query to C2 sfrclak.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|sfrclak|03|com|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:3100001; rev:1; metadata:created_at 2024_01_01;)SID 3100002 — Detects HTTP traffic to WAVESHAPER.V2 C2 IP
alert tcp $HOME_NET any -> 142.11.206.73 $HTTP_PORTS (msg:"ET TROJAN WAVESHAPER.V2 HTTP C2 Traffic to Known IP"; flow:established,to_server; content:"GET"; http_method; classtype:trojan-activity; sid:3100002; rev:1; metadata:created_at 2024_01_01;)SID 3100003 — Detects traffic to PhantomRaven payload hosting domain
alert dns $HOME_NET any -> any any (msg:"ET TROJAN PhantomRaven DNS Query to packages.storeartifact.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|packages|0c|storeartifact|03|com|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:3100003; rev:1;)SID 3100004 — Detects exfiltration to webhook.site domain
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Shai-Hulud Exfiltration to webhook.site"; flow:established,to_server; content:"POST"; http_method; content:"webhook.site"; http_host; classtype:trojan-activity; sid:3100004; rev:1;)SID 3100005 — Detects HTTP GET to jpd.php exfiltration endpoint
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PhantomRaven Exfiltration to jpd.php"; flow:established,to_server; http.uri; content:"/jpd.php"; classtype:trojan-activity; sid:3100005; rev:1;)Data Source Requirements
| Source | Required For | Notes |
|---|---|---|
| Sysmon | T1195.002, T1059.007, T1552.001 | EventID 1 (Process Create), EventID 11 (File Create), EventID 3 (Network Connection) |
| PowerShell ScriptBlock Logging | T1059.001 | EventID 4104 required to detect WAVESHAPER.V2 PowerShell execution |
| DNS Logs | T1071.001 | Required to detect C2 domain resolution attempts |
| Web Proxy Logs | T1071.001, T1027 | Critical for detecting remote payload downloads and data exfiltration |
| EDR/Process Monitoring | T1195.002, T1059.007 | Monitor node.exe process creation and child processes during npm operations |
| CI/CD Pipeline Logs | T1195.002 | Jenkins, GitLab CI, GitHub Actions logs for package installation events |
Sources
- North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack, Google Cloud Blog
- Widespread Supply Chain Compromise Impacting npm Ecosystem, CISA
- Malicious NPM Packages Contain Invisible Dependencies, Dark Reading
- Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack, Unit 42
- Shai-Hulud npm supply chain attack: What you need to know, ReversingLabs