In 2025, the cybersecurity landscape witnessed the emergence of AdaptixC2, a sophisticated post-exploitation framework that quickly became a preferred tool for threat actors seeking agility and stealth. Positioned as a formidable alternative to established tools like Cobalt Strike, AdaptixC2’s capabilities have raised significant concerns among security professionals.
In October 2025, researchers uncovered a supply chain attack leveraging the npm package registry to distribute AdaptixC2. This attack targeted developers and organizations that rely on Node.js modules for critical infrastructure and application development. The malicious campaign centered around a deceptive npm package named `https-proxy-utils`, which mimicked the functionality and naming conventions of legitimate libraries such as `http-proxy-agent`.
Infection Mechanism:
The attackers cloned proxy-related features from popular modules, ensuring that `https-proxy-utils` appeared both useful and harmless. Upon installation, the package executed a post-install script designed to download and deploy the AdaptixC2 agent onto the victim’s system. This process established a stealthy foothold for remote access and broader exploitation.
A notable aspect of this campaign was its tailored infection strategy for multiple operating systems. Once the malicious package was executed, it detected the host OS and deployed the payload using methods specific to Windows, macOS, or Linux.
– Windows: The code sideloaded the agent as a DLL alongside a legitimate executable, using JavaScript scripting to spawn the compromised process.
– macOS and Linux: The attack employed autorun configurations and architecture-specific binary delivery to ensure persistent control.
This OS-targeted approach enhanced the framework’s ability to evade conventional detection mechanisms, broadening its scope for exploitation across diverse environments.
Implications and Recommendations:
The discovery of this attack underscores the persistent risk posed by supply chain vulnerabilities within the open-source ecosystem. As the npm ecosystem continues to grow, attackers are increasingly exploiting its trust and wide reach. This incident highlights the need for vigilant vetting and continuous monitoring of open-source components.
To mitigate such risks, organizations and developers should consider the following measures:
1. Implement Strict Package Vetting Processes: Before incorporating new packages into projects, conduct thorough reviews to verify their authenticity and integrity.
2. Monitor for Suspicious Activity: Utilize tools and services that can detect unusual behaviors or changes within your development environment.
3. Stay Informed: Keep abreast of the latest security advisories and reports related to the npm ecosystem and other open-source platforms.
4. Educate Development Teams: Provide training on recognizing and responding to potential supply chain attacks and other cybersecurity threats.
By adopting these practices, organizations can enhance their resilience against supply chain attacks and protect their development environments from emerging threats like AdaptixC2.
