T1106

Native API

discovered 2026-06-01

Extensive use of native APIs via koffi FFI library from Electron: Crypt32.dll CryptUnprotectData for DPAPI browser credential decryption, kernel32.dll VirtualAllocEx/WriteProcessMemory/CreateRemoteThread for process injection, and child_process.execFile for PE execution.

more…

View on MITRE ATT&CK

Seen in packages

npm faster-axiosuses

Campaigns

Epsilon Axios Typosquat Campaignattributed-to