Post-exploitation framework now also delivered via npm

[harlan4096]

Incident description

The first version of the AdaptixC2 post-exploitation framework, which can be considered an alternative to the well-known Cobalt Strike, was made publicly available in early 2025. In spring of 2025, the framework was first observed being used for malicious means.

In October 2025, Kaspersky experts found that the npm ecosystem contained a malicious package with a fairly convincing name:
 

Code:

https-proxy-utils

. It was posing as a utility for using proxies within projects. At the time of this post, the package had already been taken down.
The name of the package closely resembles popular legitimate packages:
 

Code:

http-proxy-agent

, which has approximately 70 million weekly downloads, and
 

Code:

https-proxy-agent

with 90 million downloads respectively. Furthermore, the advertised proxy-related functionality was cloned from another popular legitimate package
 

Code:

proxy-from-env

, which boasts 50 million weekly downloads. However, the threat actor injected a post-install script into
 

Code:

https-proxy-utils

, which downloads and executes a payload containing the AdaptixC2 agent.

Metadata for the malicious (left) and legitimate (right) packages

OS-specific adaptation

The script includes various payload delivery methods for different operating systems. The package includes loading mechanisms for Windows, Linux, and macOS. In each OS, it uses specific techniques involving system or user directories to load and launch the implant.

In Windows, the AdaptixC2 agent is dropped as a DLL file into the system directory
 

Code:

C:\Windows\Tasks

. It is then executed via DLL sideloading. The JS script copies the legitimate
 

Code:

msdtc.exe

file to the same directory and executes it, thus loading the malicious DLL.

Continue Reading...