Full Report
The npm registry contains a malicious package that downloads the AdaptixC2 agent onto victims' devices, Kaspersky experts have found. The threat targets Windows, Linux, and macOS.
Analysis Summary
The provided context is heavily truncated and consists mostly of website boilerplate (cookie consent, navigation links) rather than substantive technical details about a specific malware or tool. However, the title explicitly names the central subject: **"Malicious package with AdaptixC2 framework agent found in npm registry."**
Based *only* on this title, the summary must focus on the **AdaptixC2 framework** and its distribution method via the **npm registry**.
# Tool/Technique: AdaptixC2 Agent via npm Package
## Overview
This entry summarizes the discovery of a malicious package hosted on the npm registry that contained an agent for the AdaptixC2 command and control (C2) framework. The primary concern is the method of initial compromise via software supply chain compromise targeting the JavaScript/Node.js ecosystem.
## Technical Details
- Type: Malware Agent / Command and Control Framework (AdaptixC2)
- Platform: Node.js / JavaScript environments (implied by npm distribution)
- Capabilities: Command and control communication, likely execution of arbitrary attacker commands.
- First Seen: N/A (Specific date missing from context)
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on the nature of a C2 agent distributed via a compromised package.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.002 - Web Protocols (Implied communication method)
- TA0005 - Defense Evasion (If the agent uses obfuscation or living off the land techniques)
- TA0002 - Execution (For running arbitrary code upon installation/execution)
## Functionality
### Core Capabilities
- Establishing communication with an attacker-controlled Command and Control infrastructure.
- Execution of commands delivered via the C2 channel.
- Distribution method indicates a focus on supply chain compromise through the NPM ecosystem.
### Advanced Features
- Specific advanced features of the AdaptixC2 framework are not detailed in the provided context.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A (Only the package name/location is implied)
- Registry Keys: N/A
- Network Indicators: N/A (C2 domains/IPs are not present in the context)
- Behavioral Indicators: Installation and execution triggered by adding/running a dependency from the npm registry.
## Associated Threat Actors
- No specific threat actor is explicitly linked in the provided text snippet, though the use of AdaptixC2 suggests involvement by organized cybercriminal or espionage groups utilizing custom C2 infrastructure.
## Detection Methods
- Signature-based detection: Dependent on signatures for the specific AdaptixC2 agent binaries or scripts placed by the package.
- Behavioral detection: Monitoring for unusual network connections initiated by package installation scripts (e.g., `postinstall` scripts).
- YARA rules: N/A
## Mitigation Strategies
- **Supply Chain Security:** Strict validation and vetting of all third-party dependencies sourced from public repositories like npm.
- **Dependency Auditing:** Utilizing tools to scan package dependencies for known malicious patterns or suspicious post-installation behaviors.
- **Least Privilege:** Ensuring build and production environments operate with restricted permissions to limit the damage from compromised packages.
## Related Tools/Techniques
- Software Supply Chain Attack: Techniques related to compromising software repositories or package managers.
- Other C2 Frameworks distributed via public repositories.