Skip to content

Update third-party rules as of 2026-04-01 #1447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
egibs merged 2 commits into from
Apr 1, 2026
Merged

Update third-party rules as of 2026-04-01 #1447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9cfb5e0
Update third-party rules as of 2026-04-01
github-actions[bot] Apr 1, 2026
b0fc629
add more third-party rules
egibs Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 213 additions & 0 deletions rules/malware/supplychain/axios.yara
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
import "hash"

// start third-party
// source: https://github.com/Neo23x0/signature-base/pull/395
rule MAL_NPM_SupplyChain_Attack_Mar26: critical js {
meta:
description = "Detects package.json which include the malicious plain-crypto-js package as dependency"
author = "Marius Benthin"
date = "2026-03-31"
reference = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan"
hash = "5e3e89c7351f385e36bb70286866a62957cc1aaab195539edb8c7bb62968a137"
score = 80

strings:
$s1 = "\"dependencies\":"
// This is the specific malicious package that was added to the npm registry, which is a typo-squatting of the popular crypto-js package
$s2 = { 22 70 6C 61 69 6E 2D 63 72 79 70 74 6F 2D 6A 73 22 3A [0-3] 22 [0-2] 34 2E 32 2E } // "plain-crypto-js": "^4.2."

condition:
filesize < 10KB
and all of them
}

// source: https://github.com/Neo23x0/signature-base/pull/395
rule SUSP_JS_Dropper_Mar26: critical js {
meta:
description = "Detects suspicious JavaScript dropper used in plain-crypto-js supply chain attacks"
author = "Marius Benthin"
date = "2026-03-31"
reference = "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan"
hash = "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09"
score = 70

strings:
$sa1 = "Buffer.from("
$sa2 = "FileSync("
$sa3 = ".replaceAll("

$sb1 = ".arch()"
$sb2 = ".platform()"
$sb3 = ".release()"
$sb4 = ".type()"

condition:
filesize < 10KB
and all of ($sa*)
and 2 of ($sb*)
}

/*
* Axios npm Supply Chain Compromise - YARA Detection Rules
* Date: 2026-03-31 | Version: 2
* Author: Automated Analysis (Claude Code)
* Reference: https://gist.github.com/N3mes1s/0c0fc7a0c23cdb5e1c8f66b208053ed6
* Tested against all 5 payloads in isolated Lima VM
*/

// modified to include severity tags

rule axios_dropper_setup_js: critical {
meta:
description = "Axios supply chain - obfuscated setup.js dropper"
hash = "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09"
date = "2026-03-31"

strings:
$xor = "OrDeR_7077"
$entry = "_entry"
$id = "6202033"

condition:
filesize < 10KB and $xor and $entry and $id
}

rule axios_win_stage1: critical windows {
meta:
description = "Axios supply chain - Windows download cradle (system.bat)"
hash = "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd"
date = "2026-03-31"

strings:
$cradle = "scriptblock]::Create"
$post = "packages.npm.org/product1"

condition:
filesize < 500 and $cradle and $post
}

rule axios_win_ps_rat: critical windows {
meta:
description = "Axios supply chain - Windows PowerShell RAT"
hash = "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101"
date = "2026-03-31"

strings:
$class = "Extension.SubRoutine"
$var1 = "$rotjni"
$var2 = "$daolyap"
$rsp1 = "rsp_peinject"
$rsp2 = "rsp_runscript"
$rsp3 = "rsp_rundir"
$rsp4 = "rsp_kill"

condition:
$class or ($var1 and $var2) or (3 of ($rsp*))
}

rule axios_macos_nukesped: critical macos {
meta:
description = "Axios supply chain - macOS NukeSped RAT"
hash = "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a"
date = "2026-03-31"

strings:
$mz = { CA FE BA BE }
$build = "Jain_DEV"
$project = "macWebT"
$drop = "/private/tmp/.%s"
$codesign = "codesign --force --deep --sign"
$rsp1 = "rsp_peinject"
$rsp2 = "rsp_runscript"

condition:
$mz at 0 and ($build or $project or ($drop and $codesign) or ($rsp1 and $rsp2))
}

rule axios_linux_python_rat: critical linux {
meta:
description = "Axios supply chain - Linux Python RAT (ld.py)"
hash = "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf"
date = "2026-03-31"

strings:
$fn1 = "do_action_ijt"
$fn2 = "do_action_scpt"
$fn3 = "do_action_dir"
$rsp1 = "rsp_peinject"
$rsp2 = "rsp_runscript"
$rsp3 = "rsp_rundir"

condition:
($fn1 and $fn2 and $fn3) or (3 of ($rsp*))
}

rule axios_rat_generic: critical {
meta:
description = "Generic detection for any axios supply chain RAT"
date = "2026-03-31"

strings:
$ua = "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)"
$b1 = "FirstInfo"
$b2 = "BaseInfo"
$b3 = "CmdResult"
$r1 = "rsp_peinject"
$r2 = "rsp_runscript"
$r3 = "rsp_rundir"

condition:
($ua and 2 of ($b*)) or (3 of ($r*))
}

rule axios_c2_indicators: critical {
meta:
description = "Axios supply chain C2 network indicators"
date = "2026-03-31"

strings:
$c2 = "sfrclak.com"
$path = "/6202033"
$p0 = "packages.npm.org/product0"
$p1 = "packages.npm.org/product1"
$p2 = "packages.npm.org/product2"

condition:
$c2 or ($path and any of ($p*)) or (2 of ($p*))
}

rule axios_injector_dll: critical windows {
meta:
description = "Extension.SubRoutine .NET injection DLL (DLL not recovered)"
date = "2026-03-31"

strings:
$mz = { 4D 5A }

Check warning on line 185 in rules/malware/supplychain/axios.yara

View check run for this annotation

VirusTotal YARA-CI / Rules Analysis

rules/malware/supplychain/axios.yara#L185 

warning[text_as_hex]: hex pattern could be written as text literal
   --> line:185:15
    |
185 |     $mz     = { 4D 5A }
    |               --------- this pattern can be written as a text literal
    |
help: consider the following change
    |
185 -     $mz     = { 4D 5A }
185 +     $mz     = "MZ"
    |
$class = "Extension.SubRoutine" wide
$method = "Run2" wide

condition:
$mz at 0 and $class and $method
}
// end third-party

rule axios_2026_03: critical {
meta:
description = "Contains IOCs from the 2026/03/19 Axios -> plain-crypto-js compromise"

strings:
$artifact1 = "/Library/Caches/com.apple.act.mond"
$artifact2 = "%PROGRAMDATA%\\wt.exe"
$artifact3 = "/tmp/ld.py"
$c2 = "sfrclak.com:8000/6202033"
$domain1 = "sfrclak.com"
$ip = "142.11.206.73"
$url = "packages.npm.org/product2"

condition:
(hash.sha256(0, filesize) == "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd")
or (hash.sha256(0, filesize) == "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101")
or (hash.sha256(0, filesize) == "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a")
or (hash.sha256(0, filesize) == "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf")
or any of them
}
19 changes: 19 additions & 0 deletions rules/malware/supplychain/litellm.yara
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
// source: https://github.com/Neo23x0/signature-base/pull/394
rule MAL_LiteLLM_SupplyChain_Mar26: critical python {
meta:
description = "Detects malicious indicators used in LiteLLM supply chain attack"
author = "Marius Benthin"
date = "2026-03-28"
reference = "https://github.com/BerriAI/litellm/issues/24512"
hash = "71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238"
score = 80

strings:
$s1 = "exec(base64.b64decode("
$s2 = "litellm." base64
$s3 = "subprocess.DEVNULL"

condition:
filesize < 500KB
and all of them
}
Loading
Loading