Update third-party rules as of 2026-04-01 (#1447)

* Update third-party rules as of 2026-04-01

* add more third-party rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: egibs <20933572+egibs@users.noreply.github.com>

Author: 3 people

rules/malware/supplychain/axios.yara

@@ -0,0 +1,213 @@
+import "hash"
+
+// start third-party
+// source: https://github.com/Neo23x0/signature-base/pull/395
+rule MAL_NPM_SupplyChain_Attack_Mar26: critical js {
+  meta:
+    description = "Detects package.json which include the malicious plain-crypto-js package as dependency"
+    author      = "Marius Benthin"
+    date        = "2026-03-31"
+    reference   = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan"
+    hash        = "5e3e89c7351f385e36bb70286866a62957cc1aaab195539edb8c7bb62968a137"
+    score       = 80
+
+  strings:
+    $s1 = "\"dependencies\":"
+    // This is the specific malicious package that was added to the npm registry, which is a typo-squatting of the popular crypto-js package
+    $s2 = { 22 70 6C 61 69 6E 2D 63 72 79 70 74 6F 2D 6A 73 22 3A [0-3] 22 [0-2] 34 2E 32 2E }  // "plain-crypto-js": "^4.2."
+
+  condition:
+    filesize < 10KB
+    and all of them
+}
+
+// source: https://github.com/Neo23x0/signature-base/pull/395
+rule SUSP_JS_Dropper_Mar26: critical js {
+  meta:
+    description = "Detects suspicious JavaScript dropper used in plain-crypto-js supply chain attacks"
+    author      = "Marius Benthin"
+    date        = "2026-03-31"
+    reference   = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan"
+    hash        = "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09"
+    score       = 70
+
+  strings:
+    $sa1 = "Buffer.from("
+    $sa2 = "FileSync("
+    $sa3 = ".replaceAll("
+
+    $sb1 = ".arch()"
+    $sb2 = ".platform()"
+    $sb3 = ".release()"
+    $sb4 = ".type()"
+
+  condition:
+    filesize < 10KB
+    and all of ($sa*)
+    and 2 of ($sb*)
+}
+
+/*
+ * Axios npm Supply Chain Compromise - YARA Detection Rules
+ * Date: 2026-03-31 | Version: 2
+ * Author: Automated Analysis (Claude Code)
+ * Reference: https://gist.github.com/N3mes1s/0c0fc7a0c23cdb5e1c8f66b208053ed6
+ * Tested against all 5 payloads in isolated Lima VM
+ */
+
+// modified to include severity tags
+
+rule axios_dropper_setup_js: critical {
+  meta:
+    description = "Axios supply chain - obfuscated setup.js dropper"
+    hash        = "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09"
+    date        = "2026-03-31"
+
+  strings:
+    $xor   = "OrDeR_7077"
+    $entry = "_entry"
+    $id    = "6202033"
+
+  condition:
+    filesize < 10KB and $xor and $entry and $id
+}
+
+rule axios_win_stage1: critical windows {
+  meta:
+    description = "Axios supply chain - Windows download cradle (system.bat)"
+    hash        = "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd"
+    date        = "2026-03-31"
+
+  strings:
+    $cradle = "scriptblock]::Create"
+    $post   = "packages.npm.org/product1"
+
+  condition:
+    filesize < 500 and $cradle and $post
+}
+
+rule axios_win_ps_rat: critical windows {
+  meta:
+    description = "Axios supply chain - Windows PowerShell RAT"
+    hash        = "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101"
+    date        = "2026-03-31"
+
+  strings:
+    $class = "Extension.SubRoutine"
+    $var1  = "$rotjni"
+    $var2  = "$daolyap"
+    $rsp1  = "rsp_peinject"
+    $rsp2  = "rsp_runscript"
+    $rsp3  = "rsp_rundir"
+    $rsp4  = "rsp_kill"
+
+  condition:
+    $class or ($var1 and $var2) or (3 of ($rsp*))
+}
+
+rule axios_macos_nukesped: critical macos {
+  meta:
+    description = "Axios supply chain - macOS NukeSped RAT"
+    hash        = "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a"
+    date        = "2026-03-31"
+
+  strings:
+    $mz       = { CA FE BA BE }
+    $build    = "Jain_DEV"
+    $project  = "macWebT"
+    $drop     = "/private/tmp/.%s"
+    $codesign = "codesign --force --deep --sign"
+    $rsp1     = "rsp_peinject"
+    $rsp2     = "rsp_runscript"
+
+  condition:
+    $mz at 0 and ($build or $project or ($drop and $codesign) or ($rsp1 and $rsp2))
+}
+
+rule axios_linux_python_rat: critical linux {
+  meta:
+    description = "Axios supply chain - Linux Python RAT (ld.py)"
+    hash        = "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf"
+    date        = "2026-03-31"
+
+  strings:
+    $fn1  = "do_action_ijt"
+    $fn2  = "do_action_scpt"
+    $fn3  = "do_action_dir"
+    $rsp1 = "rsp_peinject"
+    $rsp2 = "rsp_runscript"
+    $rsp3 = "rsp_rundir"
+
+  condition:
+    ($fn1 and $fn2 and $fn3) or (3 of ($rsp*))
+}
+
+rule axios_rat_generic: critical {
+  meta:
+    description = "Generic detection for any axios supply chain RAT"
+    date        = "2026-03-31"
+
+  strings:
+    $ua = "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)"
+    $b1 = "FirstInfo"
+    $b2 = "BaseInfo"
+    $b3 = "CmdResult"
+    $r1 = "rsp_peinject"
+    $r2 = "rsp_runscript"
+    $r3 = "rsp_rundir"
+
+  condition:
+    ($ua and 2 of ($b*)) or (3 of ($r*))
+}
+
+rule axios_c2_indicators: critical {
+  meta:
+    description = "Axios supply chain C2 network indicators"
+    date        = "2026-03-31"
+
+  strings:
+    $c2   = "sfrclak.com"
+    $path = "/6202033"
+    $p0   = "packages.npm.org/product0"
+    $p1   = "packages.npm.org/product1"
+    $p2   = "packages.npm.org/product2"
+
+  condition:
+    $c2 or ($path and any of ($p*)) or (2 of ($p*))
+}
+
+rule axios_injector_dll: critical windows {
+  meta:
+    description = "Extension.SubRoutine .NET injection DLL (DLL not recovered)"
+    date        = "2026-03-31"
+
+  strings:
+    $mz     = { 4D 5A }
+    $class  = "Extension.SubRoutine" wide
+    $method = "Run2" wide
+
+  condition:
+    $mz at 0 and $class and $method
+}
+// end third-party
+
+rule axios_2026_03: critical {
+  meta:
+    description = "Contains IOCs from the 2026/03/19 Axios -> plain-crypto-js compromise"
+
+  strings:
+    $artifact1 = "/Library/Caches/com.apple.act.mond"
+    $artifact2 = "%PROGRAMDATA%\\wt.exe"
+    $artifact3 = "/tmp/ld.py"
+    $c2        = "sfrclak.com:8000/6202033"
+    $domain1   = "sfrclak.com"
+    $ip        = "142.11.206.73"
+    $url       = "packages.npm.org/product2"
+
+  condition:
+    (hash.sha256(0, filesize) == "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd")
+    or (hash.sha256(0, filesize) == "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101")
+    or (hash.sha256(0, filesize) == "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a")
+    or (hash.sha256(0, filesize) == "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf")
+    or any of them
+}

rules/malware/supplychain/litellm.yara

@@ -0,0 +1,19 @@
+// source: https://github.com/Neo23x0/signature-base/pull/394
+rule MAL_LiteLLM_SupplyChain_Mar26: critical python {
+  meta:
+    description = "Detects malicious indicators used in LiteLLM supply chain attack"
+    author      = "Marius Benthin"
+    date        = "2026-03-28"
+    reference   = "https://github.com/BerriAI/litellm/issues/24512"
+    hash        = "71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238"
+    score       = 80
+
+  strings:
+    $s1 = "exec(base64.b64decode("
+    $s2 = "litellm." base64
+    $s3 = "subprocess.DEVNULL"
+
+  condition:
+    filesize < 500KB
+    and all of them
+}