Trojan on npm: Fake Utility Package Used to Deliver a Cobalt Strike Clone
In October 2025, researchers at Kaspersky Lab uncovered a malicious package on the popular npm registry named https-proxy-utils, masquerading as a legitimate proxy utility. The trojanized module was engineered to deploy AdaptixC2 on compromised developers’ machines — an open-source framework, introduced in 2024, that functions as a public analogue to Cobalt Strike. The malicious package has since been removed from the repository.
AdaptixC2, while designed for Red Team operations, can be repurposed for nefarious ends and has already been observed in real-world intrusions. The attacker’s choice of package name deliberately echoed widely used libraries (http-proxy-agent and https-proxy-agent), which boast roughly 70 million and 90 million weekly downloads respectively, increasing the likelihood that developers would install the counterfeit without noticing the substitution.
Embedded in the package was a post-installation script that fetched and executed AdaptixC2, thereby furnishing adversaries with remote access to infected hosts, file and process control, persistence mechanisms, network reconnaissance capabilities, and a platform for staging subsequent attack phases. The deployment was tailored to the target operating system: Windows, Linux, or macOS. On Windows, AdaptixC2 was delivered as a DLL into C:\Windows\Tasks and executed via DLL sideloading, a technique that runs a malicious library in the context of a legitimate application.
Experts warn that this incident exemplifies an accelerating trend: open-source repositories are increasingly weaponized as a vector for supply-chain compromise. Organizations and developers who incorporate community packages into their software supply chains remain particularly exposed. The campaign also underscores the growing sophistication of concealment techniques—DLL sideloading in particular is becoming more prevalent globally and has been observed in cases such as the distribution of the Lumma stealer.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
