From: Homelabineer <redacted>
Date: Tue, 31 Mar 2026 16:40:56 +0000 (-0500)
Subject: Add axios supply chain attack C2 domains (sfrclak.com, callnrwise.com)
X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=ed4ca8687f2541e3b2b5aa94b6342082cac254e5;p=stevenblack-hosts.git

Add axios supply chain attack C2 domains (sfrclak.com, callnrwise.com)

Closes #3098

These domains were used as C2 infrastructure in the axios npm supply
chain attack on March 31, 2026 (GHSA-fw8c-xr5c-95f9). Malicious
versions axios@1.14.1 and axios@0.30.4 were published via a hijacked
maintainer account, injecting a RAT that beacons to these domains.

References:
- https://github.com/advisories/GHSA-fw8c-xr5c-95f9
- https://socket.dev/blog/axios-npm-package-compromised
---

diff --git a/data/StevenBlack/hosts b/data/StevenBlack/hosts
index 46d333e00..3994faa24 100644
--- a/data/StevenBlack/hosts
+++ b/data/StevenBlack/hosts
@@ -3152,3 +3152,7 @@
 
 # Added March 29, 2026
 0.0.0.0 kra18.com
+
+# Added March 31, 2026
+0.0.0.0 sfrclak.com
+0.0.0.0 callnrwise.com