Malicious npm Package Discovered Installing AdaptixC2 Framework

Experts from Kaspersky Lab have uncovered a malicious package named "https-proxy-utils" in the npm registry. This package, masquerading as legitimate proxy utilities, was designed to install the AdaptixC2 framework on compromised developer systems. AdaptixC2 is an open-source alternative to Cobalt Strike, a tool commonly used for post-exploitation activities in cyberattacks.

The discovery highlights a growing trend in supply chain attacks, where malicious actors infiltrate trusted repositories with harmful packages. In this case, the package was removed after its discovery, but the potential impact remains significant. Developers who had already incorporated the package into their projects could have their systems compromised, leading to further exploitation.

AdaptixC2, as a post-exploitation framework, provides attackers with capabilities for command and control (C2) operations. This includes maintaining persistence on infected systems, executing arbitrary commands, and exfiltrating sensitive data. The use of such frameworks in attacks underscores the need for robust security measures and continuous monitoring of third-party dependencies.

For cybersecurity professionals, this incident serves as a reminder of the importance of vigilance in software supply chains. Regular audits of dependencies, use of package signing, and adherence to secure coding practices are essential to mitigate the risks posed by such malicious packages.

The broader cybersecurity landscape is increasingly threatened by supply chain attacks, which exploit the trust placed in widely used repositories. This incident with "https-proxy-utils" and AdaptixC2 underscores the need for enhanced security measures and proactive threat hunting to detect and mitigate such threats effectively.