AdaptixC2 spread through malicious npm package

AdaptixC2, an open-source post-exploitation framework that is growing in popularity among malicious actors, was found hidden in an npm package posing as an HTTPS proxy utility.

The package, https-proxy-utils, included a post-install script that downloads and executes the AdaptixC2 agent, Kaspersky researchers said in a post Friday.

AdaptixC2, which is described in the post as an alternative to Cobalt Strike, provides a wide range of command-and-control (C2) features and has a modular architecture, making it a flexible post-exploitation tool for both legitimate penetration testers and malicious attackers.

The https-proxy-utils package, which has since been removed from the npm registry, copied legitimate proxy functionality from another package called proxy-from-env, which has 50 million weekly downloads.

The researchers said it may have also been attempting to imitate other legitimate packages like http-proxy-agent (70 million weekly downloads) and https-proxy-agent (90 million weekly downloads).

The malicious post-install script tailored its delivery method depending on the victim’s operating system and system architecture (x64 or ARM). For Windows machines, it executed the AdaptixC2 agent via DLL sideloading into msdtc.exe, which it copied to the C:\Windows\Tasks directory.

For macOS users, the AdaptixC2 agent was installed as an executable to the autorun directory Library/LaunchAgents along with a plist autorun configuration file. On Linux machines, binary files were delivered to the temporary directory /tmp/.fonts-unix and assigned execute permissions.

AdaptixC2’s capabilities include C2 beaconing, command execution, file management and data exfiltration — it also supports additional functionalities such as credential harvesting, lateral movement and custom payload deployment through plugins called “extenders.”

Threat actors have previously been observed spreading AdaptixC2 through social engineering on Microsoft Teams, where attackers posed as help desk staff and convinced victims to initiate a remote session via Quick Assist, according to Palo Alto Networks Unit 42.

Unit 42 also reported that AdaptixC2 has been seen in attacks involving Akira and Fog ransomware.

Supply chain attacks on the npm platform have also gained attention in recent months due to high-profile incidents including the Shai-Hulud worm and compromise of popular utilities like chalk, debug and ansi-styles.   

In the wake of these attacks, GitHub announced last month that it would be strengthening authentication requirements for npm publishing, including by requiring two-factor authentication for local publishing and enforcing the use of short-lived granular tokens.