{"id":180317,"date":"2026-04-01T11:52:56","date_gmt":"2026-04-01T18:52:56","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=180317"},"modified":"2026-05-08T12:11:24","modified_gmt":"2026-05-08T19:11:24","slug":"axios-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/fr\/axios-supply-chain-attack\/","title":{"rendered":"Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios"},"content":{"rendered":"<h2><a id=\"post-180317-_heading=h.hdxdy7pu6zj6\"><\/a>Avant-propos<\/h2>\n<p>Les chercheurs d\u2019Unit\u00a042 ont observ\u00e9 des r\u00e9percussions importantes de l\u2019attaque majeure de la supply chain ciblant la biblioth\u00e8que JavaScript d\u2019Axios. L\u2019attaque s\u2019est produite apr\u00e8s que le compte npm d\u2019un mainteneur d\u2019Axios a \u00e9t\u00e9 d\u00e9tourn\u00e9, ce qui a conduit \u00e0 la publication de mises \u00e0 jour malveillantes (versions v1.14.1 et v0.30.4).<\/p>\n<p>Ces versions compromises ont introduit une d\u00e9pendance cach\u00e9e appel\u00e9e <span style=\"font-family: 'courier new', courier, monospace;\">plain-crypto-js<\/span>. Celle-ci est un cheval de Troie d\u2019acc\u00e8s \u00e0 distance (RAT) multiplateforme capable d\u2019affecter les syst\u00e8mes Windows, macOS et Linux. Le logiciel malveillant a \u00e9t\u00e9 con\u00e7u pour effectuer une reconnaissance et \u00e9tablir une persistance, avec une fonction suppl\u00e9mentaire d\u2019autodestruction pour \u00e9chapper \u00e0 la d\u00e9tection.<\/p>\n<p>Axios est une biblioth\u00e8que client HTTP populaire, bas\u00e9e sur des promesses (promise-based), pour JavaScript, utilis\u00e9e pour effectuer des demandes d\u2019API dans les navigateurs et Node.js. Il propose la transformation automatique des donn\u00e9es JSON, l\u2019interception des requ\u00eates\/r\u00e9ponses et l\u2019annulation des requ\u00eates, ce qui en fait un outil standard pour connecter les applications front-end aux services back-end.<\/p>\n<p>L\u2019analyse du malware utilis\u00e9 par les attaquants r\u00e9v\u00e8le des points communs avec des op\u00e9rations <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc1069-targets-cryptocurrency-ai-social-engineering\" target=\"_blank\" rel=\"noopener\">pr\u00e9c\u00e9demment signal\u00e9es comme impliquant<\/a> la R\u00e9publique populaire d\u00e9mocratique de Cor\u00e9e (Cor\u00e9e du Nord).<\/p>\n<p>Cette campagne a atteint les secteurs suivants aux \u00c9tats-Unis, en Europe, au Moyen-Orient, en Asie du Sud et en Australie\u00a0:<\/p>\n<ul>\n<li>Services aux entreprises<\/li>\n<li>Service client<\/li>\n<li>Services financiers<\/li>\n<li>Hautes technologies<\/li>\n<li>Enseignement sup\u00e9rieur<\/li>\n<li>Assurances<\/li>\n<li>M\u00e9dias et divertissements<\/li>\n<li>Mat\u00e9riel m\u00e9dical<\/li>\n<li>Services professionnels et juridiques<\/li>\n<li>Services de vente au d\u00e9tail<\/li>\n<\/ul>\n<p>Cet article recommande un certain nombre de <a href=\"#post-180317-_heading=h.qid24fciurhi\" target=\"_blank\" rel=\"noopener\">mesure de neutralisation de l\u2019attaque<\/a>.<\/p>\n<p>Les clients de Palo\u00a0Alto\u00a0Networks sont mieux prot\u00e9g\u00e9s contre les menaces d\u00e9crites dans cet article gr\u00e2ce aux produits et services suivants\u00a0:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a> et <a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced DNS Security<\/a><\/li>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\">Advanced Threat Prevention<\/a><\/li>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\">Advanced WildFire<\/a><\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/agentix\" target=\"_blank\" rel=\"noopener\">Cortex AgentiX<\/a><\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cloud\" target=\"_blank\" rel=\"noopener\">Cortex Cloud<\/a><\/li>\n<li><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XDR\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> et <a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XSIAM\" target=\"_blank\" rel=\"noopener\">XSIAM<\/a><\/li>\n<\/ul>\n<p>L\u2019<a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">\u00e9quipe de r\u00e9ponse \u00e0 incident d\u2019Unit\u00a042<\/a> peut \u00e9galement intervenir en cas de compromission ou r\u00e9aliser une \u00e9valuation proactive afin de r\u00e9duire votre niveau de risque.<\/p>\n<table style=\"width: 98.5166%;\">\n<thead>\n<tr>\n<td style=\"width: 35%;\"><b>Les vuln\u00e9rabilit\u00e9s dont il est question<\/b><\/td>\n<td style=\"width: 207.734%;\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/tag\/supply-chain-fr\/\" target=\"_blank\" rel=\"noopener\"><b>Supply Chain<\/b><\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/category\/top-cyberthreats-fr\/\" target=\"_blank\" rel=\"noopener\"><b>Menaces de grande envergure<\/b><\/a><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><a id=\"post-180317-_heading=h.pql9u3k11enq\"><\/a>D\u00e9tails de l\u2019attaque contre la supply chain d\u2019Axios<\/h2>\n<p>L\u2019attaquant a publi\u00e9 deux versions compromises d\u2019Axios (v1.14.1 et v0.30.4), mais il n\u2019a pas modifi\u00e9 le code source d\u2019Axios. Au lieu de cela, il a inject\u00e9 <span style=\"font-family: 'courier new', courier, monospace;\">plain-crypto-js@4.2.1<\/span> dans le fichier <span style=\"font-family: 'courier new', courier, monospace;\">package.json<\/span> en tant que d\u00e9pendance d\u2019ex\u00e9cution.<\/p>\n<h3><a id=\"post-180317-_heading=h.lw1b54db7i98\"><\/a>Le dropper post-installation<\/h3>\n<p>Avec les versions compromises d\u2019Axios, lorsqu\u2019un d\u00e9veloppeur ex\u00e9cute <span style=\"font-family: 'courier new', courier, monospace;\">npm install axios<\/span>, npm r\u00e9sout automatiquement l\u2019arbre des d\u00e9pendances et installe <span style=\"font-family: 'courier new', courier, monospace;\">plain-crypto-js<\/span>. Cela d\u00e9clenche le hook de cycle de vie post-installation de npm, qui ex\u00e9cute en arri\u00e8re-plan un script de dropper <span style=\"font-family: 'courier new', courier, monospace;\">Node.js<\/span> fortement obfusqu\u00e9 nomm\u00e9 <span style=\"font-family: 'courier new', courier, monospace;\">setup.js<\/span>.<\/p>\n<p>Pour obfusquer ses op\u00e9rations, <span style=\"font-family: 'courier new', courier, monospace;\">setup.js<\/span> utilise un sch\u00e9ma de codage \u00e0 deux couches impliquant l\u2019inversion de cha\u00eene, le d\u00e9codage Base64 et un chiffrement XOR utilisant la cl\u00e9 <span style=\"font-family: 'courier new', courier, monospace;\">OrDeR_7077<\/span>.<\/p>\n<h3><a id=\"post-180317-_heading=h.9270hsgaau24\"><\/a>R\u00e9cup\u00e9ration de payloads sp\u00e9cifiques \u00e0 la plateforme<\/h3>\n<p>Le dropper interroge le syst\u00e8me d\u2019exploitation et envoie une requ\u00eate HTTP POST \u00e0 un serveur de commande et de contr\u00f4le (C2) \u00e0 l\u2019adresse <span style=\"font-family: 'courier new', courier, monospace;\">sfrclak[.]com:8000<\/span>. Pour que ce trafic sortant ressemble \u00e0 des requ\u00eates de registre npm anodines, il ajoute des chemins sp\u00e9cifiques \u00e0 la plateforme\u00a0:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">packages.npm[.]org\/product0<\/span> pour macOS<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">packages.npm[.]org\/product1<\/span> pour Windows<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">packages.npm[.]org\/product2<\/span> pour Linux<\/li>\n<\/ul>\n<p>La figure 1 montre les commandes pour cette premi\u00e8re \u00e9tape de t\u00e9l\u00e9chargement.<\/p>\n<figure id=\"attachment_180318\" aria-describedby=\"caption-attachment-180318\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-180318 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/word-image-585700-180317-1.png\" alt=\"Extraits de code de commandes pour chaque syst\u00e8me d\u2019exploitation\u00a0: macOS, Windows et Linux. \" width=\"1000\" height=\"292\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/word-image-585700-180317-1.png 1471w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/word-image-585700-180317-1-786x230.png 786w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/05\/word-image-585700-180317-1-768x225.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-180318\" class=\"wp-caption-text\">Figure 1. Premi\u00e8re \u00e9tape de t\u00e9l\u00e9chargement par plateforme.<\/figcaption><\/figure>\n<h3><a id=\"post-180317-_heading=h.yxn0g7t7w6in\"><\/a>Ex\u00e9cution du RAT<\/h3>\n<p>Le serveur C2 d\u00e9livre un payload diff\u00e9rent en fonction du syst\u00e8me d\u2019exploitation de la victime\u00a0:<\/p>\n<ul>\n<li><strong>macOS\u00a0<\/strong>: le dropper utilise AppleScript pour t\u00e9l\u00e9charger un binaire Mach-O compil\u00e9 en C++, l\u2019enregistre dans <span style=\"font-family: 'courier new', courier, monospace;\">\/Library\/Caches\/com.apple.act.mond<\/span>, le rend ex\u00e9cutable et le lance silencieusement via <span style=\"font-family: 'courier new', courier, monospace;\">\/bin\/zsh<\/span>.<\/li>\n<li><strong>Windows\u00a0<\/strong>: Le dropper recherche le binaire Windows PowerShell et le copie dans <span style=\"font-family: 'courier new', courier, monospace;\">%PROGRAMDATA%\\wt.exe<\/span>. Il utilise ensuite VBScript pour r\u00e9cup\u00e9rer et lancer un script PowerShell secondaire de type cheval de Troie d'acc\u00e8s \u00e0 distance RAT, qui est par la suite ex\u00e9cut\u00e9 par <span style=\"font-family: 'courier new', courier, monospace;\">wt.exe<\/span>. Il \u00e9tablit \u00e9galement sa persistance par le biais d'une cl\u00e9 de registre d'ex\u00e9cution (Run key).<\/li>\n<li><strong>Linux\u00a0<\/strong>: le dropper utilise la commande <span style=\"font-family: 'courier new', courier, monospace;\">execSync<\/span> de Node.js pour t\u00e9l\u00e9charger un script RAT Python dans <span style=\"font-family: 'courier new', courier, monospace;\">\/tmp\/ld.py<\/span>, et l\u2019ex\u00e9cute en arri\u00e8re-plan \u00e0 l\u2019aide de la commande <span style=\"font-family: 'courier new', courier, monospace;\">nohup<\/span>.<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.o5bik9hs9d2a\"><\/a>Architecture RAT unifi\u00e9e<\/h3>\n<p>Bien qu\u2019ils soient \u00e9crits dans trois langages diff\u00e9rents (C++, PowerShell et Python), les trois payloads fonctionnent comme des impl\u00e9mentations du m\u00eame framework RAT.<\/p>\n<p>Ils utilisent tous un protocole C2 identique, envoient des donn\u00e9es JSON cod\u00e9es en Base64 par le biais d\u2019une requ\u00eate HTTP POST et envoient une balise au serveur toutes les 60\u00a0secondes. Le serveur C2 accepte les quatre m\u00eames commandes de l\u2019attaquant\u00a0:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">kill<\/span> (auto-termination)<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">runscript<\/span> (ex\u00e9cuter des commandes shell\/script)<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">peinject<\/span> (d\u00e9p\u00f4t et ex\u00e9cution de payloads binaires)<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">rundir<\/span> (\u00e9num\u00e9rer les r\u00e9pertoires)<\/li>\n<\/ul>\n<p>Toutes les variantes du RAT utilisent une cha\u00eene d\u2019agent utilisateur cod\u00e9e en dur, tr\u00e8s anachronique, qui usurpe l\u2019identit\u00e9 d\u2019Internet Explorer\u00a08 sur Windows\u00a0XP\u00a0: <span style=\"font-family: 'courier new', courier, monospace;\">mozilla\/4.0 (compatible\u00a0; msie 8.0\u00a0; windows nt 5.1\u00a0; trident\/4.0.<\/span><\/p>\n<h3><a id=\"post-180317-_heading=h.9vj9s0xfuagr\"><\/a>Chevauchement avec WAVESHAPER<\/h3>\n<p>Une premi\u00e8re analyse du payload confirme l\u2019existence d\u2019un <a href=\"https:\/\/www.elastic.co\/security-labs\/axios-one-rat-to-rule-them-all\" target=\"_blank\" rel=\"noopener\">chevauchement<\/a> avec <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc1069-targets-cryptocurrency-ai-social-engineering\" target=\"_blank\" rel=\"noopener\">WAVESHAPER<\/a>. WAVESHAPER est une backdoor C++ qui communique avec son serveur C2 \u00e0 l\u2019aide de la biblioth\u00e8que curl, en utilisant soit HTTP, soit HTTPS, comme sp\u00e9cifi\u00e9 dans les arguments de la ligne de commande.<\/p>\n<p>L\u2019adresse du serveur C2 est \u00e9galement fournie via des param\u00e8tres de ligne de commande, ce qui permet \u00e0 la backdoor de t\u00e9l\u00e9charger et d\u2019ex\u00e9cuter des payloads arbitraires \u00e0 partir de l\u2019infrastructure de l\u2019attaquant.<\/p>\n<p>WAVESHAPER fonctionne \u00e9galement comme un daemon en se transformant en un processus enfant qui s\u2019ex\u00e9cute en arri\u00e8re-plan, ind\u00e9pendamment de la session parent. Il collecte les informations syst\u00e8me renvoy\u00e9es, qui sont envoy\u00e9es au serveur C2 dans une requ\u00eate HTTP POST.<\/p>\n<h3><a id=\"post-180317-_heading=h.cof00ibk05c9\"><\/a><strong>Nettoyage forensique <\/strong><\/h3>\n<p>L\u2019ensemble du processus, de l\u2019installation \u00e0 la compromission, prend environ 15\u00a0secondes. Une fois le payload lanc\u00e9 avec succ\u00e8s, le dropper Node.js effectue un nettoyage anti-forensique agressif. Il supprime le fichier <span style=\"font-family: 'courier new', courier, monospace;\">setup.js<\/span> et le hook post-installation, puis remplace le fichier package.json compromis par un fichier leurre propre nomm\u00e9 <span style=\"font-family: 'courier new', courier, monospace;\">package.md<\/span>. Cela garantit que les d\u00e9veloppeurs qui inspectent leurs dossiers <span style=\"font-family: 'courier new', courier, monospace;\">node_modules<\/span> apr\u00e8s l\u2019installation ne trouveront pas de signes \u00e9vidents de code malveillant.<\/p>\n<h2><a id=\"post-180317-_heading=h.lgelhhr2sttr\"><\/a>Requ\u00eates de l'\u00e9quipe de Threat Hunting d\u2019Unit\u00a042<\/h2>\n<p>L\u2019\u00e9quipe de threat hunting d\u2019Unit\u00a042 continue de surveiller activement toute tentative d\u2019exploitation de cette situation chez nos clients, \u00e0 l\u2019aide de Cortex\u00a0XDR et des requ\u00eates\u00a0XQL ci-dessous. Les clients Cortex\u00a0XDR peuvent \u00e9galement utiliser ces requ\u00eates pour rechercher d\u2019\u00e9ventuels indicateurs d\u2019exploitation.<\/p>\n<pre class=\"lang:default decode:true\">\/\/ Title: Compromised Axios npm package version (1.14.1 and 0.30.4) C2 on Command Line\r\n\r\n\/\/ Description: First stage of activity once a compromised endpoint runs the affected axios package is for the dropper scripts to call out to their C2 domain sfrclak[.]com\r\n\r\n\/\/ MITRE ATT&amp;CK TTP ID: T1105\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields _time, event_type, event_sub_type, event_id, agent_hostname, agent_id, action_process_image_command_line, actor_process_command_line\r\n\r\n| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and action_process_image_command_line ~= \"(?:\\bsfrclak\\.com\\b)\"\r\n\r\n| comp values(action_process_image_command_line) as action_process_image_command_line, values(actor_process_command_line) as actor_process_command_line by _time, agent_hostname, agent_id<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Title: Compromised Axios npm package version (1.14.1 and 0.30.4) Malicious plain-crypto-js package directory\r\n\r\n\/\/ Description: The malicious package is actually plain-crypto-js, this looks for directory creation events for that package name within a node_modules folder\r\n\r\n\/\/ MITRE ATT&amp;CK TTP ID: T1204.005\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields _time, event_type, event_sub_type, event_id, agent_hostname, agent_id, action_file_path, actor_process_command_line\r\n\r\n| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_DIR_CREATE, ENUM.FILE_DIR_WRITE, ENUM.FILE_DIR_RENAME) and lowercase(action_file_path) ~= \"(?:\\bnode_modules[\\\\\\\/]plain-crypto-js\\b)\"\r\n\r\n| comp values(action_file_path) as action_file_path, values(actor_process_command_line) as actor_process_command_line by _time, agent_hostname, agent_id<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Title: Compromised Axios npm package version (1.14.1 and 0.30.4) File Indicators\r\n\r\n\/\/ Description: Upon installation of the compromised axios package via npm, the postinstall script deploys dropper scripts to download and install a remote access trojan on Mac, Linux, or Windows endpoints.\r\n\r\n\/\/ MITRE ATT&amp;CK TTP ID: T1105 &amp; T1219\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields _time, event_type, event_sub_type, event_id, agent_hostname, agent_id, action_file_path, actor_process_command_line\r\n\r\n| filter event_type = ENUM.FILE and event_sub_type in (FILE_CREATE_NEW, FILE_WRITE, FILE_RENAME) and lowercase(action_file_path) ~= \"(?:library\\\/caches\\\/com\\.apple\\.act\\.mond|\\\/tmp\\\/ld\\.py|c:\\\\programdata\\\\wt\\.exe|appdata\\\\local\\\\temp\\\\6202033\\.(?:ps1|vbs)|c:\\\\programdata\\\\system\\.bat)\"\r\n\r\n| comp values(action_file_path) as action_file_path, values(actor_process_command_line) as actor_process_command_line by _time, agent_hostname, agent_id<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Title: Compromised Axios npm package version (1.14.1 and 0.30.4) C2 NGFW Traffic\r\n\r\n\/\/ Description: First stage of activity once a compromised endpoint runs the affected axios package is for the dropper scripts to call out to their C2 domain sfrclak[.]com\r\n\r\n\/\/ MITRE ATT&amp;CK TTP ID: T1105\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = panw_ngfw_url_raw\r\n\r\n| filter url_domain ~= \"(?:\\bsfrclak\\.com\\b)\"\r\n\r\n| join type = left (\r\n\r\ndataset = panw_ngfw_traffic_raw\r\n\r\n| fields session_id, source_ip, dest_ip, source_port, dest_port, action_source, bytes_received, bytes_sent, bytes_total, packets_received, packets_sent, packets_total, chunks_received, chunks_sent, chunks_total, session_end_reason\r\n\r\n) as trafficraw trafficraw.session_id = session_id and trafficraw.source_ip = source_ip and trafficraw.dest_ip = dest_ip and trafficraw.source_port = source_port and trafficraw.dest_port = dest_port\r\n\r\n| fields _time, _reporting_device_name, action, action_source, source_ip, source_port, source_user, source_location, dest_ip, dest_port, dest_location, http_method, http_headers, uri, url_category, url_category_list, url_domain, app, app_category, app_sub_category, bytes_received, bytes_sent, bytes_total, packets_received, packets_sent, packets_total, chunks_received, chunks_sent, chunks_total, protocol, inbound_if, outbound_if, from_zone, to_zone, referer, referer_fqdn, referer_port, referer_protocol, referer_url_path, rule_matched, session_id, session_end_reason, severity, sub_type, technology_of_app, tunneled_app, vsys\r\n\r\n| sort desc _time<\/pre>\n<h2><a id=\"post-180317-_heading=h.qid24fciurhi\"><\/a>Conclusion<\/h2>\n<p>Depuis le d\u00e9but de l\u2019ann\u00e9e 2026, les attaquants ont augment\u00e9 la fr\u00e9quence et l\u2019ampleur des op\u00e9rations de la supply chain npm. La s\u00e9curisation du pipeline d\u2019int\u00e9gration continue\/de d\u00e9ploiement continu (CI\/CD) devrait \u00eatre une priorit\u00e9 absolue pour n\u2019importe quelle organisation, afin d\u2019att\u00e9nuer cette menace croissante.<\/p>\n<p>Sur la base de la quantit\u00e9 d\u2019informations publiquement disponibles, nous recommandons vivement les actions suivantes\u00a0:<\/p>\n<h3>\u00c9valuation et isolement imm\u00e9diats<\/h3>\n<ul>\n<li><strong>V\u00e9rifier la pr\u00e9sence de paquets malveillants\u00a0<\/strong>: recherchez dans vos r\u00e9pertoires projects et <span style=\"font-family: 'courier new', courier, monospace;\">node_modules<\/span> les versions compromises d\u2019Axios (1.14.1 et 0.30.4) et le paquet <span style=\"font-family: 'courier new', courier, monospace;\">plain-crypto-js<\/span> inject\u00e9 (versions 4.2.0 et 4.2.1).<\/li>\n<li><strong>V\u00e9rifier la pr\u00e9sence d\u2019artefacts li\u00e9s au malware\u00a0<\/strong>: inspectez les syst\u00e8mes \u00e0 la recherche d\u2019indicateurs de compromission sp\u00e9cifiques \u00e0 la plateforme, tels que <span style=\"font-family: 'courier new', courier, monospace;\">\/Library\/Caches\/com.apple.act.mond<\/span> (macOS), <span style=\"font-family: 'courier new', courier, monospace;\">%PROGRAMDATA%\\wt.exe<\/span> (Windows) et <span style=\"font-family: 'courier new', courier, monospace;\">\/tmp\/ld.py<\/span> (Linux).<\/li>\n<li><strong>Isoler les syst\u00e8mes affect\u00e9s\u00a0<\/strong>: si vous d\u00e9couvrez des paquets malveillants ou des artefacts de RAT, isolez imm\u00e9diatement le syst\u00e8me du r\u00e9seau.<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.zaoleabpc7h3\"><\/a>Assainissement et reconstruction<\/h3>\n<ul>\n<li><strong>Reconstruire \u00e0 partir de z\u00e9ro\u00a0<\/strong>: si un environnement est compromis, n\u2019essayez pas de nettoyer les malwares tant qu\u2019ils sont encore en place. Au lieu de cela, reconstruisez compl\u00e8tement l\u2019environnement \u00e0 partir d\u2019un \u00e9tat connu.<\/li>\n<li><strong>Vider les caches\u00a0<\/strong>: videz les caches de vos gestionnaires de paquets locaux et partag\u00e9s (npm, yarn, pnpm) sur tous les postes de travail et les serveurs de build afin d\u2019\u00e9viter toute r\u00e9infection lors d\u2019installations ult\u00e9rieures.<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.g4gto0k8zb2w\"><\/a>Rotation compl\u00e8te des identifiants<\/h3>\n<ul>\n<li><strong>Se pr\u00e9parer \u00e0 une compromission\u00a0:<\/strong> si le paquet malveillant a \u00e9t\u00e9 ex\u00e9cut\u00e9, vous devez supposer que tous les secrets accessibles sur cette machine ont \u00e9t\u00e9 d\u00e9rob\u00e9s.<\/li>\n<li><strong>Changer tous les secrets\u00a0:<\/strong> proc\u00e9dez imm\u00e9diatement \u00e0 la rotation des mat\u00e9riels d\u2019authentification, y compris les jetons npm, les cl\u00e9s d\u2019acc\u00e8s AWS, les cl\u00e9s priv\u00e9es SSH, les mat\u00e9riels d\u2019authentification cloud (Google Cloud, Azure), les secrets CI\/CD et toutes les valeurs sensibles stock\u00e9es dans les fichiers<span style=\"font-family: 'courier new', courier, monospace;\"> .env<\/span>.<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.kz6g4w2163g6\"><\/a>Contr\u00f4le de version et \u00e9pinglage des d\u00e9pendances<\/h3>\n<ul>\n<li><strong>R\u00e9trogradation d\u2019Axios\u00a0<\/strong>: mettez imm\u00e9diatement \u00e0 niveau vers les derni\u00e8res versions s\u00fbres connues d\u2019Axios\u00a0: 1.14.0 ou 0.30.3.<\/li>\n<li><strong>D\u00e9pendances de l\u2019\u00e9pingle\u00a0<\/strong>: \u00e9pinglez Axios \u00e0 ces versions s\u00fbres dans votre fichier <span style=\"font-family: 'courier new', courier, monospace;\">package-lock.json<\/span> pour \u00e9viter les mises \u00e0 niveau accidentelles.<\/li>\n<li><strong>Utiliser les substitutions\u00a0<\/strong>: ajoutez un bloc de substitutions dans la configuration de votre paquet pour emp\u00eacher les versions malveillantes d\u2019\u00eatre r\u00e9solues de mani\u00e8re transitoire par d\u2019autres paquets.<\/li>\n<li><strong>Restreindre les r\u00e9f\u00e9rentiels d\u2019entreprise\u00a0<\/strong>: configurez les r\u00e9f\u00e9rentiels npm g\u00e9r\u00e9s par l\u2019entreprise pour qu\u2019ils ne servent que les bonnes versions connues d\u2019Axios.<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.ev9hlioxo1xb\"><\/a>D\u00e9fense et surveillance des r\u00e9seaux<\/h3>\n<ul>\n<li><strong>Bloquer le trafic C2\u00a0<\/strong>: bloquez tout le trafic sortant vers le domaine C2 (<span style=\"font-family: 'courier new', courier, monospace;\">sfrclak[.]com<\/span>) et l\u2019adresse IP (<span style=\"font-family: 'courier new', courier, monospace;\">142.11.206[.]73<\/span>) de l\u2019attaquant.<\/li>\n<li><strong>Contr\u00f4ler les journaux\u00a0<\/strong>: surveillez les journaux du r\u00e9seau pour d\u00e9tecter les connexions sortantes suspectes sur le port\u00a08000, les comportements de beacon et les requ\u00eates HTTP POST anormales.<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.ixfbfz5y1s9r\"><\/a>Durcissement du CI\/CD et du pipeline<\/h3>\n<ul>\n<li><strong>Audit des pipelines\u00a0CI\/CD\u00a0:<\/strong> Examinez les journaux des builds automatis\u00e9s pour v\u00e9rifier si les versions concern\u00e9es ont \u00e9t\u00e9 install\u00e9es lors d\u2019ex\u00e9cutions r\u00e9centes. Changez tous les secrets pour les workflows qui les ont ex\u00e9cut\u00e9s.<\/li>\n<li><strong>Mettre en pause et valider les d\u00e9ploiements\u00a0<\/strong>: mettez temporairement en pause les d\u00e9ploiements CI\/CD pour les projets reposant sur Axios, afin de valider que vos builds ne r\u00e9cup\u00e8rent pas automatiquement les \u00ab\u00a0derni\u00e8res\u00a0\u00bb versions empoisonn\u00e9es.<\/li>\n<li><strong>D\u00e9sactiver les scripts de cycle de vie\u00a0<\/strong>: utilisez l\u2019option \u00ab<span style=\"font-family: 'courier new', courier, monospace;\">\u00a0--ignore-scripts<\/span>\u00a0\u00bb lors des installations CI\/CD pour emp\u00eacher explicitement les hooks post installation npm de s\u2019ex\u00e9cuter pendant les builds automatis\u00e9es.<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.d0gsdpkkt3ol\"><\/a>S\u00e9curit\u00e9 \u00e0 long terme des d\u00e9veloppeurs<\/h3>\n<ul>\n<li><strong>Environnements Sandbox\u00a0<\/strong>: isolez les environnements de d\u00e9veloppement \u00e0 l\u2019aide de conteneurs ou sandboxes afin de limiter l\u2019acc\u00e8s au syst\u00e8me de fichiers de l\u2019h\u00f4te.<\/li>\n<li><strong>Secrets du coffre\u00a0<\/strong>: migrez les secrets en clair hors des machines des d\u00e9veloppeurs et dans des coffres-forts s\u00e9curis\u00e9s ou des keychains d\u2019OS (\u00e0 l\u2019aide d\u2019outils comme a<span style=\"font-family: 'courier new', courier, monospace;\">ws-vault<\/span>) afin que les scripts malveillants ne puissent pas les r\u00e9cup\u00e9rer de mani\u00e8re programmatique.<\/li>\n<li><strong>D\u00e9ployer l\u2019EDR (d\u00e9tection et r\u00e9ponse sur les terminaux)\u00a0:<\/strong> assurez-vous que les solutions EDR sont d\u00e9ploy\u00e9es sur les postes de travail des d\u00e9veloppeurs afin de surveiller les processus suspects issus des applications Node.js.<\/li>\n<\/ul>\n<p>Palo\u00a0Alto\u00a0Networks a partag\u00e9 nos conclusions avec les autres membres de la Cyber\u00a0Threat\u00a0Alliance (CTA). Les membres de la CTA s\u2019appuient sur ces renseignements pour d\u00e9ployer rapidement des mesures de protection aupr\u00e8s de leurs clients et perturber de mani\u00e8re coordonn\u00e9e les activit\u00e9s des cybercriminels. Cliquez ici pour en savoir plus sur la <a href=\"https:\/\/www.cyberthreatalliance.org\/\" target=\"_blank\" rel=\"noopener\">Cyber\u00a0Threat Alliance<\/a>.<\/p>\n<p>Les clients Palo\u00a0Alto Networks b\u00e9n\u00e9ficient d\u2019une protection renforc\u00e9e gr\u00e2ce \u00e0 nos solutions, comme d\u00e9taill\u00e9 ci-dessous. Nous mettrons \u00e0 jour ce Bulletin s\u00e9curit\u00e9 au fur et \u00e0 mesure de l\u2019\u00e9volution de la situation et de l\u2019arriv\u00e9e de nouvelles informations pertinentes.<\/p>\n<h2><a id=\"post-180317-_heading=h.dsrd8gz7y51i\"><\/a>Protections de Palo\u00a0Alto Networks contre les attaques de la supply\u00a0chain<\/h2>\n<p>Les clients Palo\u00a0Alto\u00a0Networks peuvent s\u2019appuyer sur un large \u00e9ventail de protections int\u00e9gr\u00e9es aux produits et de mises \u00e0 jour pour identifier et contrer cette menace.<\/p>\n<p>Vous pensez que votre entreprise a \u00e9t\u00e9 compromise\u00a0? Vous devez faire face \u00e0 une urgence\u00a0? Contactez <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">l\u2019\u00e9quipe Unit\u00a042 de r\u00e9ponse \u00e0 incident<\/a> ou composez l\u2019un des num\u00e9ros suivants\u00a0:<\/p>\n<ul>\n<li>Am\u00e9rique du Nord\u00a0: Gratuit\u00a0: +1 (866) 486-4842 (866.4.UNIT42)<\/li>\n<li>Royaume-Uni\u00a0: +44\u00a020\u00a03743\u00a03660<\/li>\n<li>Europe et Moyen-Orient\u00a0: +31.20.299.3130<\/li>\n<li>Asie\u00a0: +65.6983.8730<\/li>\n<li>Japon\u00a0: +81\u00a050\u00a01790\u00a00200<\/li>\n<li>Australie\u00a0: +61.2.4062.7950<\/li>\n<li>Inde\u00a0: 000 800 050 45107<\/li>\n<li>Cor\u00e9e du Sud\u00a0: +82.080.467.8774<\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.r5zytmrl4fdz\"><\/a>Advanced\u00a0WildFire<\/h3>\n<p>Les mod\u00e8les de Machine\u00a0Learning et les techniques d\u2019analyse d\u2019<a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0WildFire<\/a> ont \u00e9t\u00e9 mis \u00e0 jour sur la base des indicateurs de compromission (IoC) identifi\u00e9s dans cette recherche.<\/p>\n<h3><a id=\"post-180317-_heading=h.2r6o1k3s5rtv\"><\/a>Cloud-Delivered Security Services pour les pare-feu nouvelle g\u00e9n\u00e9ration<\/h3>\n<p><a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0URL\u00a0Filtering<\/a> et <a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0DNS\u00a0Security<\/a> permettent d\u2019identifier les adresses IP et domaines associ\u00e9s \u00e0 cette activit\u00e9 comme \u00e9tant malveillants.<\/p>\n<h3><a id=\"post-180317-_heading=h.h2zg0hh7o499\"><\/a>Cortex AgentiX<\/h3>\n<p>Les analystes en s\u00e9curit\u00e9 peuvent utiliser le langage naturel pour interroger l'agent <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/agentix\" target=\"_blank\" rel=\"noopener\">Cortex AgentiX<\/a> Threat Intel afin d'extraire les indicateurs de compromission (IoC - Indicators of Compromise) de fichiers \u00e0 partir de ce bulletin de s\u00e9curit\u00e9 (threat brief). Ils devront ensuite les enrichir, rechercher leurs \u00e9ventuelles occurrences (sightings) dans leur locataire (tenant) Cortex ainsi que les alertes associ\u00e9es, et fournir une synth\u00e8se rapide de l'impact sur l'organisation.<\/p>\n<h3><a id=\"post-180317-_heading=h.3wk649k5cw5k\"><\/a>Cortex\u00a0XDR et XSIAM<\/h3>\n<p><a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XDR\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> et <a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/p\/XSIAM\" target=\"_blank\" rel=\"noopener\">XSIAM<\/a> offrent une d\u00e9fense multicouche pour aider \u00e0 prot\u00e9ger contre l\u2019acc\u00e8s initial, le C2 et le mouvement lat\u00e9ral potentiel d\u00e9crits dans cet article. Il s\u2019agit notamment de Behavioral Threat Protection (BTP), Advanced WildFire et Cortex\u00a0Analytics.<\/p>\n<p>Plus pr\u00e9cis\u00e9ment, nous avons observ\u00e9 une pr\u00e9vention pr\u00eate \u00e0 l\u2019emploi (OotB) via Advanced WildFire et BTP pour les deuxi\u00e8mes \u00e9tapes de cette attaque sur Windows et macOS. Cortex\u00a0Analytics peut aider \u00e0 d\u00e9tecter les activit\u00e9s C2 et les activit\u00e9s suspectes de la supply chain \u00e0 l\u2019aide de nos d\u00e9tecteurs sur mesure d\u00e9crits dans les articles suivants\u00a0:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/how-behavioral-analytics-stop-linux-c2-credential-theft\/\" target=\"_blank\" rel=\"noopener\">Comment l\u2019analyse comportementale permet de mettre fin au vol de donn\u00e9es C2 et d\u2019informations d\u2019identification sur Linux \u2013 Blog Palo Alto Networks<\/a><\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/how-cortex-xdr-global-analytics-protects-against-supply-chain-attacks\/\" target=\"_blank\" rel=\"noopener\">Comment Global Analytics de Cortex XDR prot\u00e8ge contre les attaques de la supply chain \u2013 Blog Palo Alto Networks<\/a><\/li>\n<\/ul>\n<p>Nous conseillons \u00e0 nos clients de mettre \u00e0 niveau les agents vers les versions prises en charge et la derni\u00e8re mise \u00e0 jour du contenu pour b\u00e9n\u00e9ficier de la meilleure protection possible.<\/p>\n<h3><a id=\"post-180317-_heading=h.4zmi42o4yr83\"><\/a>Cortex\u00a0Cloud<\/h3>\n<p>La plateforme <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cloud\" target=\"_blank\" rel=\"noopener\">Cortex\u00a0Cloud<\/a> fournit des op\u00e9rations de d\u00e9tection et de pr\u00e9vention pour les deux premi\u00e8res \u00e9tapes de la cha\u00eene d\u2019attaque d\u2019Axios. Il s\u2019agit notamment de la s\u00e9curit\u00e9 de la supply chain logicielle, de la s\u00e9curit\u00e9 des applications (AppSec), de la protection du workload dans le cloud (CWP), de Cortex\u00a0XDR et de XSIAM.<\/p>\n<p>Chaque phase de l\u2019attaque peut \u00eatre associ\u00e9e \u00e0 une capacit\u00e9 de Cortex\u00a0Cloud qui aide \u00e0 la pr\u00e9venir ou \u00e0 la d\u00e9tecter, depuis les op\u00e9rations de v\u00e9rification de l\u2019\u00e9diteur de confiance CI\/CD jusqu\u2019\u00e0 la surveillance post-installation en cours d\u2019ex\u00e9cution et \u00e0 la d\u00e9tection de la persistance des terminaux.<\/p>\n<h2><a id=\"post-180317-_heading=h.595rf5so7n8g\"><\/a>Indicateurs de compromission<\/h2>\n<h3><a id=\"post-180317-_heading=h.1m8e0icnh4t3\"><\/a>Hachages SHA256<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">cdc05cd30eb53315dadb081a7b942bb876f0d252d20e8ed4d2f36be79ee691fa<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">8449341ddc3f7fcc2547639e21e704400ca6a8a6841ae74e57c04445b1276a10<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">01c9484abc948daa525516464785009d1e7a63ffd6012b9e85b56477acc3e624<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">7b47ed28e84437aee64ffe9770d315c1b984135105f7f608a8b9579517bc0695<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">526ab39d1f56732e4e926715aaa797feb13b1ae86882ec570a4d292e7fdc3699<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a98e04dec3a7fe507eb30c72da808bad60bc14d9d80f9770ec99c438faa85a1a<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">0d83030ab8bfba675fc1661f0756b6770be7dd80b1b718de3d68a01f2e79a5f4<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a224dd73b7ed33e0bf6a2ea340c8f8859dfa9ec5736afa8baea6225bf066b248<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">5e2ab672c3f98f21925bd26d9a9bba036b67d84fde0dfdbe2cf9b85b170cab71<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">20df0909a3a0ef26d74ae139763a380e49f77207aa1108d4640d8b6f14cab8ca<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">5b5fbc627502c5797d97b206b6dcf537889e6bea6d4e81a835e103e311690e22<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">9c64f1c7eba080b4e5ff17369ddcd00b9fe2d47dacdc61444b4cbfebb23a166c<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-180317-_heading=h.5rki64ia7uvb\"><\/a>Adresses IP et domaines<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">142.11.206[.]73<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">sfrclak[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">callnrwise[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/sfrclak[.]com:8000<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/sfrclak[.]com:8000\/6202033<\/span><\/li>\n<\/ul>\n<p><em>Mise \u00e0 jour le 1<sup>er<\/sup> avril 2026 \u00e0 13h15 PT pour ajouter la couverture pour Advanced\u00a0WildFire.<\/em><\/p>\n<p><em>Mis \u00e0 jour le 9 avril 2026 \u00e0 8 h 50 (heure du Pacifique) pour ajouter la couverture par Advanced Threat Prevention.<\/em><\/p>\n<p><em>Mis \u00e0 jour le 13 avril 2026 \u00e0 12 h 50 (heure du Pacifique) pour clarifier le mode d'ex\u00e9cution du cheval de Troie d'acc\u00e8s \u00e0 distance (RAT) dans sa version Windows. Ajout de la couverture par Cortex AgentiX.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unit 42 se penche sur l\u2019attaque contre la supply chain visant Axios. Apprenez \u00e0 conna\u00eetre l\u2019ensemble du cycle d\u2019attaque, depuis le dropper jusqu\u2019au nettoyage forensique.<\/p>\n","protected":false},"author":23,"featured_media":176780,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8787,8769],"tags":[9225,9553,9232,9515,10085,9234],"product_categories":[8956,8973,8979,8955,9041,9046,9053,9064,9151],"coauthors":[1025],"class_list":["post-180317","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-fr","category-top-cyberthreats-fr","tag-api-attacks-fr","tag-javascript-fr","tag-powershell-fr","tag-supply-chain-fr","tag-trojan","tag-vbscript-fr","product_categories-advanced-dns-security-fr","product_categories-advanced-url-filtering-fr","product_categories-advanced-wildfire-fr","product_categories-cloud-delivered-security-services-fr","product_categories-cortex-fr","product_categories-cortex-cloud-fr","product_categories-cortex-xdr-fr","product_categories-cortex-xsiam-fr","product_categories-unit-42-incident-response-fr"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios<\/title>\n<meta name=\"description\" content=\"Unit 42 se penche sur l\u2019attaque contre la supply chain visant Axios. Apprenez \u00e0 conna\u00eetre l\u2019ensemble du cycle d\u2019attaque, depuis le dropper jusqu\u2019au nettoyage forensique.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios\" \/>\n<meta property=\"og:description\" content=\"Unit 42 se penche sur l\u2019attaque contre la supply chain visant Axios. Apprenez \u00e0 conna\u00eetre l\u2019ensemble du cycle d\u2019attaque, depuis le dropper jusqu\u2019au nettoyage forensique.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-01T18:52:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-08T19:11:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/04\/02_Security-Technology_Category_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Unit 42\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios","description":"Unit 42 se penche sur l\u2019attaque contre la supply chain visant Axios. Apprenez \u00e0 conna\u00eetre l\u2019ensemble du cycle d\u2019attaque, depuis le dropper jusqu\u2019au nettoyage forensique.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332","og_locale":"fr_FR","og_type":"article","og_title":"Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios","og_description":"Unit 42 se penche sur l\u2019attaque contre la supply chain visant Axios. Apprenez \u00e0 conna\u00eetre l\u2019ensemble du cycle d\u2019attaque, depuis le dropper jusqu\u2019au nettoyage forensique.","og_url":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332","og_site_name":"Unit 42","article_published_time":"2026-04-01T18:52:56+00:00","article_modified_time":"2026-05-08T19:11:24+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/04\/02_Security-Technology_Category_1920x900.jpg","type":"image\/jpeg"}],"author":"Unit 42","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332"},"author":{"name":"Unit 42","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/ae7965e2717d118e5dd8f67b7d3519bc"},"headline":"Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios","datePublished":"2026-04-01T18:52:56+00:00","dateModified":"2026-05-08T19:11:24+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332"},"wordCount":3199,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/04\/02_Security-Technology_Category_1920x900.jpg","keywords":["API attacks","JavaScript","PowerShell","supply chain","Trojan","VBScript"],"articleSection":["Malware","Menaces de grande envergure"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332","url":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332","name":"Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/04\/02_Security-Technology_Category_1920x900.jpg","datePublished":"2026-04-01T18:52:56+00:00","dateModified":"2026-05-08T19:11:24+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/ae7965e2717d118e5dd8f67b7d3519bc"},"description":"Unit 42 se penche sur l\u2019attaque contre la supply chain visant Axios. Apprenez \u00e0 conna\u00eetre l\u2019ensemble du cycle d\u2019attaque, depuis le dropper jusqu\u2019au nettoyage forensique.","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/04\/02_Security-Technology_Category_1920x900.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/04\/02_Security-Technology_Category_1920x900.jpg","width":1920,"height":900,"caption":"Pictorial representation of the supply chain attack compromising Axios. A giant eye made of glowing binary code."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/es-la\/?p=180332#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/"},{"@type":"ListItem","position":2,"name":"Briefing s\u00e9curit\u00e9\u00a0: r\u00e9percussions majeures de l\u2019attaque contre la supply chain d\u2019Axios"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/ae7965e2717d118e5dd8f67b7d3519bc","name":"Unit 42","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/24dfba25c0e71d4de1836b78795bc2e5","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/Insights_headshot-placeholder-300x300.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/Insights_headshot-placeholder-300x300.jpg","caption":"Unit 42"},"url":"https:\/\/unit42.paloaltonetworks.com\/fr\/author\/unit42\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/180317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/comments?post=180317"}],"version-history":[{"count":1,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/180317\/revisions"}],"predecessor-version":[{"id":180331,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/180317\/revisions\/180331"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media\/176780"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media?parent=180317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/categories?post=180317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/tags?post=180317"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/product_categories?post=180317"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/coauthors?post=180317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}