Summary

A supply chain attack targeting the Apifox desktop client was detected by the SlowMist security team in March 2026. Attackers compromised an official CDN-hosted JavaScript file (apifox-app-event-tracking.min.js), injecting malicious code disguised as analytics tracking functionality. The compromised script was automatically executed by the Electron-based desktop application without requiring user interaction, resulting in the theft of authentication credentials, system information, and API credentials, as well as enabling remote code execution (RCE) capabilities on affected systems.

Affected Systems and/or Applications

• Primary Target: Apifox desktop client (Electron-based application)
• Attack Vector: Compromised CDN script file (apifox-app-event-tracking.min.js)
• User Impact: All users who launched the Apifox desktop client during the period when the CDN-hosted script was compromised
• Platforms: Windows, macOS, and Linux systems running the Apifox desktop application

Technical Details

CDN Compromise and Script Injection: - The official CDN-hosted file apifox-app-event-tracking.min.js was tampered with at the source, injecting malicious JavaScript into a trusted analytics script - Because Apifox is built on Electron, the desktop application automatically loads this script on every startup and during normal operation, executing the malicious payload without any user action or consent.

Once executed within the Apifox Electron runtime, the payload performed the following actions: -  Extracted authentication tokens from the application's local storage, specifically targeting common.accessToken and related session data. -  Executed system commands (ps aux on macOS/Linux, tasklist on Windows) to enumerate running processes. -  Targeted the following files and directories for exfiltration: - ~/.ssh/ - SSH private and public keys - ~/.git-credentials Git authentication credentials - ~/.zsh_history / ~/.bash_history - Shell command history - ~/.kube/* - Kubernetes cluster configurations and tokens - ~/.npmrc - npm registry authentication tokens - ~/.zshrc - Zsh configuration (may contain secrets) - ~/.subversion/* - SVN credentials -  Stolen data transmitted to C2 servers via RSA-encrypted channels, tagged with custom HTTP headers/fields: af_uuid, af_os, af_user, af_name, af_apifox_user, af_apifox_name. -  Retrieved and executed arbitrary remote payloads from C2 infrastructure, establishing a persistent backdoor. -  A built-in randomized timer triggered continuous data theft and payload fetch cycles throughout the application's runtime.

Mitigation

1. Revoke all tokens: Apifox access tokens, API keys, and OAuth tokens stored or accessed through the client.
2. Rotate SSH keys: Generate new SSH key pairs and remove compromised public keys from all authorized hosts.
3. Reset passwords: Change Apifox account password and any password that may have been stored in targeted files.
4. Invalidate Apifiox sessions: Log out and log back in to force session token invalidation.
5. Rotate Git credentials: Regenerate GitHub/GitLab personal access tokens and deploy keys.
6. Rotate Kubernetes credentials: Regenerate kubeconfig tokens and audit cluster access logs.
7. Rotate npm tokens: Revoke and regenerate all npm authentication tokens.
8. Clear local storage: Remove _rl_headers and _rl_mc keys from Apifox's LevelDB storage via the developer console: localStorage.removeItem(‘_rl_headers’);localStorage.removeItem(‘_rl_mc’);
9. Review audit logs: Examine API access logs, Git repository activity, and infrastructure access logs for anomalous activity during the March 4–22 window.

IOCs

Network:

DomainNotesapifox[.]it[.]comPrimary C2 domain, hosted on Cloudflare, active 18 days, now offlinecdn[.]openroute[.]devSecondary C2 / payload deliveryupgrade[.]feishu[.]it[.]comC2 communication endpointsystem[.]toshinkyo[.]or[.]jpC2 communication endpoint*[.]feishu[.]it[.]comWildcard subdomain used for C2ns[.]openroute[.]devDNS infrastructure related to attack

File:

IndicatorValueCompromised Fileapifox-app-event-tracking.min.jsSHA25691d48ee33a92acef02d8c8153d1de7e7fe8ffa0f3b6e5cebfcb80b3eeebc94f1Original Size~34 KBCompromised Size~77 KB

Host-based:

• Presence of _rl_headers and _rl_mc keys in Apifox LevelDB local storage
• Unexpected outbound DNS queries or connections to the C2 domains listed above
• Evidence of ps aux or tasklist execution spawned from the Apifox/Electron process tree
• Unauthorized reads of ~/.ssh/, ~/.git-credentials, ~/.kube/, ~/.npmrc

What the Cyber Fusion Center is doing

The CFC continues to monitor the situation and is in the process of building a threat-hunting campaign to identify related activity. This advisory will be updated if required.

References

• Security Alert: Supply Chain Attack on Apifox Desktop Client via Compromised Official CDN Script - SlowMist
• Crypto Tools Under Attack as Apifox Breach Exposes Sensitive Data - Crypto Times
• Apifox Incident Fix - GitHub Repository

‍