Kaspersky reported on October 17, 2025 that a malicious npm package named https-proxy-utils masqueraded as a proxy helper and, during installation, executed a postinstall script that fetched and launched an AdaptixC2 agent; the package has since been removed from npm (Securelist). The lure name mimicked popular packages like http-proxy-agent and https-proxy-agent, and even cloned functionality from proxy-from-env to appear legitimate (Securelist).

AdaptixC2 is an open-source, cross‑platform post‑exploitation framework with server components in Go and a Qt client, providing beacons and listeners across Windows, macOS, and Linux—features attractive both to red teams and threat actors (AdaptixC2 GitHub).

Why DFIR teams should care

• The infection vector is developer tooling: a postinstall script in a dependency. npm lifecycle hooks run arbitrary commands by design, so a single mistaken install in a dev workstation or CI runner can bootstrap C2 (npm scripts docs).
• The implant uses OS‑specific drop locations and persistence, blending in with normal platform behaviors and making triage noisy if you don’t know where to look (Securelist).
• The Windows stage employs DLL sideloading via a legitimate binary—mapped to MITRE ATT&CK T1574.001—complicating binary trust heuristics (MITRE ATT&CK T1574.001; Securelist).

Execution details and artefacts

Package behavior and network

• Package: https-proxy-utils (malicious; removed from npm) (Securelist).
• Trigger: postinstall lifecycle script downloads and executes platform‑specific AdaptixC2 payloads (Securelist; npm scripts docs).
• C2/hosted payload endpoints observed: cloudcenter.top paths for Windows/macOS/Linux arm/x64 payloads and a macOS plist; see IOC list below (Securelist).

OS‑specific staging

• Windows

  • Drops a malicious DLL into C:\Windows\Tasks, then copies msdtc.exe into the same directory to sideload the DLL on execution (Securelist).
  • Technique: DLL sideloading (MITRE ATT&CK T1574.001) (MITRE ATT&CK).

• macOS

  • Writes an executable into the user’s ~/Library/LaunchAgents and drops a plist to achieve autorun; selects x64 vs ARM payload before download (Securelist).
  • Launch agents/daemons are the supported macOS persistence mechanism; official locations include ~/Library/LaunchAgents and /Library/LaunchAgents (Apple Developer launchd doc; Apple Terminal guide).

• Linux

  • Fetches the agent into /tmp/.fonts-unix (x64/ARM) and marks it executable (Securelist).

Indicators of Compromise (subset)

Package name
  https-proxy-utils

Network
  cloudcenter.top/sys/update
  cloudcenter.top/macos_update_arm
  cloudcenter.top/macos_update_x64
  cloudcenter.top/macosUpdate.plist
  cloudcenter.top/linux_update_x64
  cloudcenter.top/linux_update_arm

Source: Kaspersky IOC section (Securelist).

Where to hunt first: developer and CI artefacts

Target investigations at places npm/yarn/pnpm record dependency state and lifecycle activity:

• Lockfiles and manifests

  • package-lock.json, yarn.lock, pnpm-lock.yaml—search for https-proxy-utils and unexpected transitive inclusions (npm ci blog).
  • pnpm lock/behavior docs if you use pnpm in CI (pnpm settings – ignoreScripts).

• npm logs and cache

  • NPM writes logs under _logs inside the npm cache; default cache is ~/.npm (POSIX) or %AppData%/npm-cache (Windows). Use npm config get cache to locate it, then inspect _logs/ for failed postinstall or unusual fetches (npm folders; npm logging).

• Lifecycle scripts evidence

  • npm lifecycle hooks, including postinstall, run command strings from dependencies’ package.json (npm scripts docs). In CI, prefer npm ci for reproducible installs and consider disabling scripts when feasible (npm ci blog; npm install ignore-scripts).

Quick hunts (copy/paste)

• Repo/lockfile search

# Linux/macOS
rg -n --hidden -S "https-proxy-utils" -g '!node_modules' .

# Windows PowerShell
Get-ChildItem -Recurse -Filter package-lock.json | Select-String -Pattern 'https-proxy-utils'
Get-ChildItem -Recurse -Filter yarn.lock        | Select-String -Pattern 'https-proxy-utils'
Get-ChildItem -Recurse -Filter pnpm-lock.yaml   | Select-String -Pattern 'https-proxy-utils'

• npm cache/logs for network traces

npm config get cache   # locate cache dir
# Then inspect <cache>/_logs/*.log for postinstall or cloudcenter.top URLs
rg -n "cloudcenter\.top" "$(npm config get cache)" -S || true

Endpoint hunts by OS

Windows

• File hunts
  • Look for unsigned/unexpected DLLs in C:\Windows\Tasks alongside msdtc.exe (Securelist).
• Process/Module telemetry
  • Hunt for msdtc.exe executing from C:\Windows\Tasks\ instead of C:\Windows\System32\ and loading a local DLL (DLL sideloading, ATT&CK T1574.001) (MITRE ATT&CK).
• Example Sigma (process creation)

title: MSDTC Executed from Non-Standard Path
id: 9db3d6e8-0f5b-4a5f-9c2e-https-proxy-utils
status: experimental
description: Detect msdtc.exe spawned from Windows\Tasks (AdaptixC2 npm case)
logsource: { product: windows, category: process_creation }
detection:
  sel:
    Image|endswith: '\\msdtc.exe'
    Image|contains: '\\Windows\\Tasks\\'
  condition: sel
level: high
references:
  - https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/
  - https://attack.mitre.org/techniques/T1574/001/

macOS

• Persistence
  • Inspect ~/Library/LaunchAgents for unfamiliar plists referencing binaries in user writeable paths or remote URLs; this is a standard persistence location (Apple Developer launchd doc; Apple Terminal guide).
• Unload/remove suspicious agent

launchctl list | grep -i macosUpdate || true
launchctl bootout gui/"$(id -u)" ~/Library/LaunchAgents/<suspicious>.plist
rm -f ~/Library/LaunchAgents/<suspicious>.plist

• IOC points to macosUpdate.plist; search for that string too (Securelist).

Linux

• Staging folder
  • Examine /tmp/.fonts-unix for recently created ELF payloads and anomalous execute bits (Securelist).

ls -la /tmp/.fonts-unix 2>/dev/null || true
file /tmp/.fonts-unix/* 2>/dev/null | grep -E 'ELF|Mach-O'

Network detection and containment

• Block/alert on cloudcenter.top paths enumerated in the IOC list (Securelist).
• Watch for initial postinstall fetches from developer workstations/CI runners shortly after npm i/npm ci. npm can run lifecycle scripts unless disabled (npm install flags; npm scripts docs).

Response guidance

1. Developer endpoints and CI runners

• Isolate the host if you confirm a hit. On Windows, delete the rogue msdtc.exe and malicious DLL from C:\Windows\Tasks and restore the legitimate binary in System32; re-run EDR scans (sideloading per ATT&CK T1574.001) (MITRE ATT&CK; Securelist).
• On macOS, unload and remove the LaunchAgent plist and its executable from ~/Library/LaunchAgents (Apple Terminal guide).
• On Linux, remove payloads from /tmp/.fonts-unix and rotate credentials if any developer tokens could have been accessed (Securelist).

2. Dependency hygiene and install hardening

• Use lockfile‑driven, reproducible installs in CI: npm ci or the lockfile equivalents in yarn/pnpm (npm ci blog; yarn install docs; pnpm settings).
• Disable lifecycle scripts where possible during CI: npm ci --ignore-scripts, yarn install --ignore-scripts, or pnpm’s --ignore-scripts (npm install flags; yarn install docs; pnpm install flags).
• If you must run some scripts, prefer an allowlist approach with @lavamoat/allow-scripts to execute only explicitly approved lifecycle hooks (LavaMoat allow-scripts).

3. Hunting and eradication at scale

• Search SCM and artifact registries for https-proxy-utils references in manifests and lockfiles; purge artifacts built during the exposure window.
• In npm caches/logs, look for failed or successful fetches to cloudcenter.top (logs reside under the npm cache path by default) (npm logging; npm folders).

About AdaptixC2 (for triage and intel)

AdaptixC2 provides listeners and agents across Windows/Linux/macOS, with features like GUI control, encrypted comms, and multiple beacon listeners—so a successful install on a developer machine can quickly escalate into lateral movement if credentials or code signing material are present (AdaptixC2 GitHub).

Appendix: Hashes and URLs (from Kaspersky)

Kaspersky provides multiple hashes for the package and lists the payload endpoints; operationalize these in blocklists and retro hunts (Securelist).

Takeaways

• Hunt and purge https-proxy-utils from lockfiles, node_modules, caches, and CI images; scan for cloudcenter.top in npm _logs and proxy telemetry (Securelist; npm logging).
• Prioritize OS hunts: Windows DLL in C:\Windows\Tasks with msdtc.exe sideloading; macOS LaunchAgents; Linux /tmp/.fonts-unix binaries (Securelist; MITRE ATT&CK; Apple docs).
• Harden installs: prefer npm ci, disable lifecycle scripts in CI when feasible, or enforce an allowlist with @lavamoat/allow-scripts (npm ci blog; npm install flags; LavaMoat).
• Monitor for postinstall‑timed network egress from developer hosts and CI, and block cloudcenter.top payload endpoints (Securelist).