The threat involves a malicious npm package named 'https-proxy-utils' that was uploaded to the npm registry posing as a proxy utility. This package contained a post-installation script that silently downloads and executes the AdaptixC2 agent, a sophisticated post-exploitation framework. The malicious package mimicked popular legitimate packages and cloned functionality from other npm packages to avoid suspicion. The post-install script includes distinct payload delivery mechanisms tailored for Windows, Linux, and macOS platforms, ensuring broad multi-platform infection capability. Upon successful deployment, the AdaptixC2 agent provides attackers with remote access, command execution capabilities, and persistence on compromised systems, allowing long-term control and potential lateral movement. The payloads are hosted on the domain cloudcenter.top, which serves binaries and configuration files for different OS architectures, including ARM and x64 variants. This attack vector highlights the growing trend of supply chain compromises within open-source ecosystems, where attackers exploit trust in widely used package repositories to distribute malware. Although no active exploitation campaigns have been reported yet, the presence of this agent in a public package repository poses a significant risk to developers and organizations that automatically install or update npm packages without thorough validation. The incident follows a similar pattern to previous high-profile supply chain attacks such as the Shai-Hulud worm, emphasizing the need for enhanced security controls around software dependencies.

European organizations that rely on npm packages for software development, deployment, or automation are at risk of inadvertently installing this malicious package, leading to system compromise across multiple operating systems. The AdaptixC2 agent's capabilities for remote access, command execution, and persistence can result in data breaches, intellectual property theft, disruption of services, and potential lateral movement within corporate networks. Organizations with mixed OS environments (Windows, Linux, macOS) face increased exposure due to the multi-platform nature of the payload. Supply chain attacks like this undermine trust in open-source ecosystems and can lead to widespread impact if the package is included in automated build or deployment pipelines. The malicious infrastructure's domain (cloudcenter.top) could be used to deliver additional payloads or updates, extending the attacker's control. Given the medium severity and no known active exploitation campaigns, the immediate impact may be limited but could escalate if attackers leverage this foothold for further attacks. The incident also raises regulatory and compliance concerns under European data protection laws if personal or sensitive data is compromised.

1. Implement strict package vetting policies: Avoid installing npm packages from untrusted or unknown authors, and verify package authenticity and integrity before use. 2. Monitor and audit post-install scripts in npm packages to detect suspicious or unexpected behavior. 3. Employ dependency scanning tools that can detect known malicious packages or anomalous scripts. 4. Restrict network egress to block connections to suspicious domains such as cloudcenter.top and other known malicious infrastructure. 5. Use sandboxed or isolated environments for testing new or updated packages before deployment in production. 6. Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying post-exploitation frameworks like AdaptixC2. 7. Educate developers and DevOps teams about supply chain risks and encourage the use of package lock files and reproducible builds. 8. Establish incident response plans that include supply chain compromise scenarios. 9. Collaborate with npm registry maintainers and report suspicious packages promptly to facilitate removal. 10. Consider implementing software bill of materials (SBOM) tracking to maintain visibility of all third-party components in use.