Threat Actors Leverage npm Ecosystem to Deliver AdaptixC2 Post-Exploitation Framework
This October, researchers uncovered its delivery through the npm package registry—a supply chain attack targeting developers and organizations reliant on Node.js modules for critical infrastructure and application development. The incident revolved around a deceptive npm package, which mimicked the functionality and naming conventions of widely used legitimate libraries. Upon installation, however, the package executed a post-install script designed to download and deploy the AdaptixC2 agent onto the victim’s system, initiating a stealthy foothold for remote access and broader exploitation.
Securelist researchers were the first to identify and analyze the AdaptixC2 npm infection, noting both the technical sophistication of the attack and its alarming implications for open-source threat landscapes. As the npm ecosystem grows, attackers are increasingly exploiting its trust and wide reach. The discovery highlights the persistent risk posed by supply chain attacks, emphasizing the need for vigilant vetting and continuous monitoring of open-source components.
A standout feature of the AdaptixC2 npm campaign is its tailored infection strategy for multiple operating systems. Once the malicious package executes, it detects the host OS and deploys the payload using methods designed for Windows, macOS, or Linux. For Windows, the code sideloads the agent as a DLL alongside a legitimate executable, using JavaScript scripting to spawn the compromised process.
This flexible approach extends across macOS and Linux systems, employing autorun configuration and architecture-specific binary delivery to ensure persistent control. Such OS-targeted infection routines deepen the framework’s ability to evade conventional detection, broadening its scope for exploitation across diverse environments.
To read the complete article see: Cyber Security News
Apply for our next conference in Kuala Lumpur on December 9th and 10th, 2025 at Rise Malaysia with the passcode: “6f&%dX”, no quotes. The call for papers is here: Call for Papers.