Cybersecurity researchers at Kaspersky have uncovered a sophisticated supply chain attack targeting the npm ecosystem, where threat actors distributed the AdaptixC2 post-exploitation framework through a malicious package disguised as a legitimate proxy utility.
The discovery highlights the growing risk of open-source software repositories as attack vectors for delivering advanced malware.
In October 2025, Kaspersky experts identified a malicious npm package named “https-proxy-utils” that was designed to deceive developers into installing malware on their systems.
The package cleverly mimicked legitimate proxy-related utilities, presenting itself as a tool for managing proxies within development projects.
To enhance its credibility, the threat actors cloned functionality from “proxy-from-env,” a popular legitimate package with approximately 50 million weekly downloads.
The malicious package’s name was deliberately crafted to resemble trusted packages such as “http-proxy-agent” and “https-proxy-agent,” which collectively receive over 160 million downloads per week.
This typosquatting technique exploits developers who may accidentally install the wrong package or fail to verify package names carefully.
Although the malicious package has since been removed from the npm registry, the incident demonstrates how easily attackers can abuse the trust developers place in open-source ecosystems.
AdaptixC2 Framework
What sets this attack apart is its sophisticated multi-platform delivery mechanism. The malicious package contained a post-install script that automatically executed when developers installed the package, downloading and deploying the AdaptixC2 agent tailored to the victim’s operating system.
AdaptixC2, which first became publicly available in early 2025, serves as an alternative to the well-known Cobalt Strike post-exploitation framework and was first observed being used maliciously in spring 2025.
For Windows systems, the attack employed DLL sideloading techniques by dropping the AdaptixC2 agent as a DLL file into the C:\Windows\Tasks directory. The script then copied the legitimate “msdtc.exe” file to the same location and executed it, which in turn loaded the malicious DLL.
On macOS, the payload was downloaded as an executable into the Library/LaunchAgents directory, accompanied by a plist configuration file for persistence.
The script intelligently detected whether the system was running x64 or ARM architecture and fetched the appropriate payload variant.
Linux systems were targeted through a different approach, with the framework’s agent being downloaded into the /tmp/.fonts-unix temporary directory.
Similar to the macOS implementation, the script delivered architecture-specific binary files for x64 or ARM systems and assigned execute permissions to enable the malware to run.
Broader Implications
Once successfully deployed, the AdaptixC2 framework provides attackers with extensive capabilities including remote access, command execution, file and process management, and multiple persistence methods.
These features allow threat actors to maintain continuous access to compromised systems, conduct network reconnaissance, and deploy additional attack stages. The framework essentially transforms a developer’s machine into a foothold for broader network infiltration.
This incident is part of a disturbing trend of supply chain attacks targeting npm. Just one month prior to this discovery, the Shai-Hulud worm infected more than 500 npm packages using similar post-install script techniques.
These incidents underscore how threat actors are increasingly exploiting the trusted open-source supply chain to distribute post-exploitation frameworks and other malware. Organizations and developers who rely on npm packages in their products face significant exposure to these evolving threats.
Security experts recommend several protective measures for developers and organizations using open-source software.
Users should carefully verify the exact names of packages before installation, thoroughly vet unpopular and newly created repositories, and monitor frequently updated feeds on compromised packages and libraries.
The AdaptixC2 incident serves as a stark reminder that even routine development activities like installing dependencies can become entry points for sophisticated cyberattacks when proper security practices are not followed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
