Git805/Axios-Supply-Chain-Incident-Report

# Axios 供应链事件报告 # Axios npm 供应链攻击事件 - 家庭实验室案例研究 **2026年3月31日 Sapphire Sleet APT 攻击 Axios npm 生态系统的取证分析** ## 仓库描述 这是一份关键 npm 供应链攻击的真实世界文档，该攻击通过维护者账户劫持入侵了 Axios HTTP 客户端库。本仓库包含完整的事件响应案例研究、技术分析、取证证据以及防御自动化工作流，旨在帮助安全社区检测和响应类似的供应链威胁。 **事件经过：** 2026年3月31日，攻击者入侵了 Axios npm 维护者账户，并发布了包含幽灵依赖项的恶意版本（1.14.1 和 0.30.4），该依赖项在 `npm install` 期间部署了跨平台远程访问木马。攻击窗口持续了2小时45分钟，npm 才删除了恶意包。 **为何重要：** 此事件展示了现代供应链攻击如何利用受信任的生态系统 和自动化构建流程，以最小的攻击者投入实现广泛分发。攻击面涵盖 CI/CD 流程、依赖树和 postinstall 脚本——所有这些合法的 npm 功能都被武器化用于凭证窃取和持久性后门访问。 **关键资源：** - 📋 **事件报告** – 包含攻击时间线、载荷执行流程和影响评估的完整技术分析 - 🔍 **妥协指标 (IOCs)** – 恶意包、C2 基础设施和检测命令 - 🛡️ **加固措施** – npm 安全最佳实践（--ignore-scripts、精确版本锁定、包年龄策略） - 🤖 **SOAR 自动化工作流** – 用于供应链威胁检测和凭证轮换的 n8n 剧本 - 📊 **检测规则** – 用于 postinstall 脚本执行和 C2 信标模式的 SIEM/SOAR 查询 ## 为何开源？ 此事件**被控制在隔离的家庭实验室环境中**，现公开发布以加速社区对供应链威胁的响应。安全团队需要可操作的情报、检测模式和自动化模板——而非供应商锁定的威胁报告。所有 IOCs、剧本和分析均免费提供。 ``` ## 攻击摘要 | Aspect | Details | |--------|---------| | **Threat Actor** | Sapphire Sleet (North Korean APT - Microsoft Attribution) | | **Attack Date** | March 31, 2026, 00:47 UTC | | **Detection Date** | April 01, 2026, 08:23 UTC | | **Compromise Vector** | npm maintainer account hijacking + phantom dependency | | **Malicious Packages** | axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1 | | **Payload** | Cross-platform RAT (Windows/macOS/Linux) | | **C2 Infrastructure** | sfrclak[.]com (142.11.206.73) | | **Attack Window** | 2 hours 45 minutes (00:21 - 03:15 UTC) | | **Credentials Exfiltrated** | GitHub PATs (12), AWS keys (3), npm tokens (1), SSH keys (7), API keys (5) | | **Environment** | Home Lab (Isolated - Non-Production) | | **Response Time** | 8 hours from C2 detection to full containment | ## 关键发现 ✅ **What Went Right:** - Credential segregation prevented lateral movement to production systems - Network monitoring detected C2 communication within 8 hours - Rapid VM snapshot recovery enabled full system rebuild in <1 hour - Credential inventory documentation accelerated rotation across 28 credentials ⚠️ **What Went Wrong:** - No postinstall script blocking (npm ci --ignore-scripts not enforced) - Floating version ranges allowed automatic adoption of malicious patches - No package release age policy (pulled axios@1.14.1 within 26 minutes of publication) - Package.json changes were transparent while setup.js executed in shadow ## 防御教训 This case study validates multiple defensive principles: 1. **Defense-in-Depth Works** – No single control prevents supply chain attacks, but multiple layers limited blast radius 2. **Behavioral Detection Catches What Signature Detection Misses** – Postinstall scripts evade traditional AV; network monitoring detected the attack 3. **Credential Segregation Is Non-Negotiable** – Personal dev credentials isolated from production prevented catastrophic breach escalation 4. **Traditional Security Controls Are Insufficient** – Antivirus, EDR, and CASB all failed to detect legitimate npm build process weaponization 5. **Network Egress Monitoring Remains Critical** – Only control that caught the attack before credentials were exploited ## 针对安全团队 - **SIEM/SOAR Operators** – Import detection rules and playbooks to monitor postinstall script execution, new C2 domains, and lateral movement from build systems - **Development Teams** – Implement hardening measures (--ignore-scripts, exact pinning, package age policies) in CI/CD pipelines - **Threat Intelligence** – Ingest IOCs into your threat feed and alert on similar supply chain patterns - **Incident Response** – Use this report as a template for supply chain incident documentation and analysis ## 针对研究人员 - **Supply Chain Attack Mechanics** – Detailed execution flow of a real-world npm compromise (not theoretical) - **Postinstall Script Abuse** – Complete walkthrough of how npm lifecycle hooks bypass traditional security controls - **Credential Harvesting Patterns** – Evidence destruction techniques, detector evasion, and persistence mechanisms - **APT Attribution** – Sapphire Sleet operational patterns in supply chain attack context ## 联系与归属 **Report Author:** Charudatta Padhye | Security Engineer **LinkedIn:** linkedin.com/in/charudatta-padhye **Report Status:** FINAL **Last Updated:** April 02, 2026 --- ## 许可证 This incident analysis and all associated IOCs, detection rules, and automation workflows are published under **CC-BY-4.0** to ensure maximum security community distribution and adaptation. **Disclaimer:** This repository documents a real incident on isolated home lab infrastructure. All information is provided for defensive security purposes. The author takes no responsibility for misuse of IOCs, detection signatures, or technical analysis for offensive purposes. --- ## 相关资源 - [npm Supply Chain Security Best Practices](https://docs.npmjs.com/cli/v8/using-npm/security) - [NIST Software Supply Chain Security Framework](https://csrc.nist.gov/projects/supply-chain-risk-management) - [Microsoft Sapphire Sleet Attribution Report](https://microsoft.com) - [CWE-1104: Use of Unmaintained Third Party Components](https://cwe.mitre.org/data/definitions/1104.html) --- ## 如果喜欢这个仓库请 Star - ⭐ You manage npm dependencies in enterprise environments - ⭐ You operate a SIEM/SOAR platform and need supply chain threat detection - ⭐ You're building secure CI/CD pipelines and want real-world attack patterns - ⭐ You believe supply chain security should be open-source and community-driven ```

标签：AI合规, APT攻击, CI/CD安全, CISA项目, DAST, DNS信息、DNS暴力破解, HTTP工具, IP 地址批量处理, Llama, Metaprompt, n8n工作流, npm, RAT, SOAR, Suricata, YARA规则, 依赖注入, 后门, 威胁情报, 子域枚举, 安全事件, 库, 应急响应, 应用安全, 开发者工具, 恶意包, 恶意软件分析, 攻击指标, 文档安全, 无线安全, 暗色界面, 漏洞披露, 现代安全运营, 网络安全, 防御性安全, 隐私保护