Yishi|Mar 25, 2026 11:06
Apifox hit by a supply chain attack. Its Electron desktop app did not strictly enable sandboxing and exposed the Node.js API to the renderer process, allowing attackers to achieve RCE via malicious JS.
When the app starts, it fetches `apifox-app-event-tracking.min.js` from the official CDN. Since March 4, this resource has been intermittently replaced with a poisoned version (77KB, normal size ~34KB).
The poisoned script further loads a second-stage payload from a non-official domain controlled by the attacker, `apifox[.]it[.]com`, and executes under certain conditions:
- Collects host information and sensitive data: SSH keys, Git credentials, shell history, process lists
- Sends data back to `apifox[.]it[.]com/event/0/log`
- Deploys a persistent backdoor and attempts lateral movement
**IoC**
- Tampered resource: `hxxps://cdn[.]apifox[.]com/www/assets/js/apifox-app-event-tracking.min.js` (77KB)
- C2 domain: `apifox[.]it[.]com`
- Exfil endpoint: `hxxps://apifox[.]it[.]com/event/0/log`
**Mitigation Recommendations:**
- Immediately upgrade to v2.8.19+
- Reset credentials on all hosts that ran affected versions: rotate all SSH keys, Git tokens, and API keys
- Audit shell history, process logs, and abnormal outbound connections
- Check for persistence mechanisms: cron, Launch Agents, systemd, etc.
Treat all related credentials as compromised, revoke and reissue them.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink