Kaspersky researchers discovered a malicious npm package, https-proxy-utils. It was disguised as legitimate tools for using proxies in projects and allowed the AdaptixC2 framework—an open-source analogue of the well-known Cobalt Strike—to be installed on compromised developers’ machines. The malicious package has since been removed.
The AdaptixC2 framework appeared in 2024 and was created as a replacement for Cobalt Strike and the open-source Havoc. Adaptix is an extensible post-exploitation framework designed specifically for pentesters and red teams. The Adaptix server is written in Golang, and the client GUI is built with C++ and Qt, which allows it to be used on Linux, Windows, and macOS.
Like Cobalt Strike, it can be abused by attackers, and in March 2025 it was observed in real-world incidents.
The name of the discovered npm package resembles the names of the popular legitimate packages http-proxy-agent and https-proxy-agent, which receive approximately 70 and 90 million downloads per week.
Inside, a hidden postinstall script downloaded and executed AdaptixC2. This allowed the attackers to gain remote access to the infected device, manage files and processes, and establish persistence in the system to perform network reconnaissance and deploy subsequent stages of the attack.
The attackers varied the method of loading AdaptixC2 depending on which operating system the device was running—Windows, Linux, or macOS.
For example, on Windows systems they loaded AdaptixC2 as a DLL file into the C:\Windows\Tasks system directory and launched it using the DLL sideloading technique (where a malicious DLL is distributed together with a legitimate application that executes it). To do this, the JS script copies the legitimate msdtc.exe file into the same directory and runs it, which in turn loads the malicious library.
On macOS, the script downloads a payload as an executable into the user’s autostart directory, Library/LaunchAgents. In the same directory, postinstall.js places a LaunchAgent plist configuration file for autostart. Before fetching AdaptixC2, the script checks the target architecture—x64 or ARM—and downloads the corresponding payload accordingly.
As for Linux, the framework’s agent is dropped into the temporary directory /tmp/.fonts-unix. The script delivers an architecture-specific binary (x64 or ARM) and then grants it execute permissions.
“The AdaptixC2 incident illustrates a growing trend of using open-source software repositories as an attack vector. Users and organizations that develop or integrate open-source software from ecosystems like npm into their products are exposed to such threats,” comments Vladimir Gursky, a threat researcher at Kaspersky Lab. “We’re also seeing adversaries adopt increasingly sophisticated methods to hide well-known tools. In the campaign described, they used the DLL sideloading technique, which is becoming more popular and has been observed in incidents both in Russia and elsewhere. For example, it’s being used to distribute the dangerous Lumma stealer. This technique is quite difficult to detect without modern protection solutions and AI technologies.”