Mate’s Guide to Investigating the Axios Supply Chain Attack

Overview

A healthcare institution's cloud environment triggered a Wiz alert from a compromised Axios package. In supply chain attacks every second counts. Evidence was already self-deleting. A Python RAT had begun beaconing to attacker infrastructure. And the CI/CD pipeline, with its source code, build secrets, and downstream deployment systems, was in the crosshairs.

Mate’s AI SOC agents investigated and successfully remediated the attack. This post describes the approach that Mate took, to successfully conclude the incident.

‍

The Attack: A Compromised Axios Package

A threat actor compromised the npm distribution of Axios, a widely used JavaScript HTTP client, and published malicious versions that functioned as a dropper, executing a staged payload sequence upon installation. The malicious package downloaded a second-stage Python-based remote access trojan from attacker-controlled infrastructure at sfrclak.com:8000, established persistence, then self-deleted to remove forensic evidence. The target was the organization's CI/CD pipeline, a high-value environment where a successful foothold means access to source code, build secrets, and downstream deployment systems.

‍

Step 1: Triage and Prioritization

The first question in any supply chain incident is how serious it is and how far it has spread.

Mate triaged hundreds of active alerts in the environment and elevated this incident to P0 priority. The alert arrived to the analyst pre-investigated: the full attack chain had already been reconstructed, affected resources had been profiled, and all relevant context had been assembled across the security stack. There was no manual enrichment queue, no waiting for threat intelligence lookups to return, and no need to pivot between tools to piece together what happened.

‍

Step 2: Full Process Chain Analysis

To understand what an attacker did, you need to see everything they touched, in sequence, without gaps.

Mate reconstructed the complete execution path from the initial package manager installation through to second-stage payload execution. Every command executed by the malicious dependency was analyzed and attributed: the dropper script, the download from the C2 server, the Python RAT deployment, and the self-deletion routine. This provided an unambiguous picture of attacker intent and confirmed the full scope of what executed on the affected system.

‍

Step 3: Threat Intelligence and Domain & IP Prevalence

Knowing what the attacker used is only half the picture. The critical question is whether that infrastructure had appeared in the environment before.

Mate ran automated threat intelligence against all identified malicious C2 domains and IP addresses. In parallel, it performed domain and IP prevalence analysis across the organization's full security infrastructure: DNS logs, cloud runtime telemetry, device timelines, and network logs.

The result was definitive. Zero prior presence of the malicious infrastructure anywhere in the environment. This ruled out pre-existing lateral movement and confirmed that the attack was detected at an early stage, before the attacker had established any meaningful foothold beyond the initial execution attempt.

‍

Step 4: Cloud Resource and Secrets Exposure Analysis

In a CI/CD attack, the blast radius extends far beyond the infected host. The real risk is what the attacker could reach from there.

Because the attack targeted a CI/CD pipeline, Mate performed a risk analysis on all cloud resources connected to the affected environment to identify which secrets could have been exposed or compromised during the incident window. This step determines the true blast radius: which repositories are affected, which downstream services may have been touched, and what credential rotation is required. Mate surfaced this analysis automatically as part of the initial investigation, without requiring manual dependency tracing by the analyst.

‍

‍

Why Speed Is the Deciding Factor

Supply chain attacks exploit trusted processes. A legitimate package manager running a legitimate install command is not inherently suspicious. The malicious behavior only becomes detectable once execution begins, and by that point, in a manually-driven SOC, the investigation has not yet started. In supply chain attacks specifically, evidence is deleted faster than most teams can respond, and may be gone before investigation begins.

The gap between initial execution and active analyst investigation is where attackers operate. In this incident, that gap was compressed to near-zero. Mate's agents began investigation at the moment of alert generation, which meant the response team had full situational awareness before making any containment decisions, rather than building that awareness under time pressure after the fact.

This matters particularly for healthcare institutions, where CI/CD environments frequently hold production secrets, service account credentials, and access to regulated data systems, including systems that touch patient data and clinical infrastructure. Knowing the precise scope of secret exposure within minutes of detection, rather than hours, directly affects the speed and accuracy of the remediation response.

‍

Recommended Response Actions

Based on the investigation findings, Mate's agents produced a structured response plan:

1. Root cause identification. Examine source code and locate the dependency files containing the compromised Axios version. Confirm exactly where and how the malicious package entered the build.

2. CI/CD pipeline tracing. Identify the specific repository that triggered the build which executed the malicious dependency. Tracing the build lineage confirms whether any other pipelines were exposed to the same package.

3. Secrets exposure assessment. Determine which secrets were attached to the CI server during the potential compromise window. This assessment drives rotation priorities, knowing which credentials to rotate, in what order, and on what timeline.

4. Network containment. Block the identified malicious DNS domains and IP addresses at both layer 4 and layer 7 firewalls. Severing C2 communication paths is the immediate priority while root cause analysis and rotation proceed in parallel.

‍

Conclusion

Investigating a supply chain attack is a race against an attacker who has already started the clock. The dropper self-deletes. The RAT beacons silently. Evidence degrades. Every minute without full situational awareness is a minute the attacker can use.

The healthcare institution contained the threat quickly not because the attack was unsophisticated, but because the investigation was complete before containment decisions needed to be made. Full process chain visibility, confirmed domain and IP prevalence, and secrets exposure analysis were all in hand within seconds of the initial alert.

The agents did not replace analyst judgment. They ensured that judgment was applied to validated findings rather than spent on manual data gathering.

As supply chain attacks continue to mature, the organizations best positioned to respond are those with SOC capabilities that operate at the speed of detection, not the speed of manual investigation.