AdaptixC2 via npm typosquat: DFIR playbook for https-proxy-utils
Kaspersky reported on October 17, 2025 that a malicious npm package named https-proxy-utils masqueraded as a proxy helper and, during installation, executed a postinstall script that fetched and launched an AdaptixC2 agent; the package has since been removed from npm (Securelist). The lure name mimicked popular packages like http-proxy-agent and https-proxy-agent, and even cloned functionality from proxy-from-env to appear legitimate (Securelist).
AdaptixC2 is an open-source, cross‑platform post‑exploitation framework with server components in Go and a Qt client, providing beacons and listeners across Windows, macOS, and Linux—features attractive both to red teams and threat actors (AdaptixC2 GitHub).