Skip to main content
3 min read

Supply Chain Poisoning and
Developer Credential Theft in Apifox Desktop Client

Apifox has fallen victim to a supply chain poisoning attack. By tampering with the official CDN-hosted event tracking script, `apifox-app-event-tracking.min.js`, attackers have successfully implanted a high-risk Trojan loader into the client application.

AUTOSEC.DEVAUTOSEC.DEV
Supply Chain Poisoning and Developer Credential Theft in Apifox Desktop Client
  • Release Date: March 25, 2026
  • Risk Level: Critical
  • Vulnerability ID: N/A
  • Vulnerability Category: Supply Chain Poisoning

Impact Scope

  • Affected Targets: Developers and QA engineers using the Apifox desktop client (Windows/macOS/Linux).
  • Trigger Mechanism: Upon startup, the client automatically loads a remote business script apifox-app-event-tracking.min.js. If the poisoned version (approx. 77K, vs. the normal ~34K) is requested, the attack chain is triggered.
  • Key Indicators of Compromise (IoC): Focus on endpoints that accessed the domain apifox.it.com after March 4, 2026.

Vulnerability Details

This incident is a typical targeted poisoning attack against developer toolchains. By tampering with official CDN resources and exploiting the lack of strict Node.js API permission controls within the Electron environment, the attacker successfully established a complete execution chain from script loading to deep data exfiltration.

  1. Multi-stage Loader: The poisoned script first executes an obfuscated loader locally to collect host identifiers (UUID, OS, username, etc.) and constructs custom HTTP headers (e.g., af_uuid, af_name) to request second-stage instructions from the malicious domain apifox.it.com.
  2. Encrypted Communication: The server returns RSA-encrypted ciphertext, which the client decrypts using a hardcoded private key within the script to obtain a scheduler script. This approach effectively evades the detection of malicious URLs by static sandboxes.
  3. Surgical Data Theft: The payload is highly targeted, focusing on the "digital assets" of developers:
    • SSH Keys: Recursively reads private key files in the ~/.ssh directory.
    • Git Credentials: Steals plaintext usernames and passwords from ~/.git-credentials.
    • Command History: Collects .zsh_history or .bash_history to harvest environment variables, API keys, or database passwords that may have been logged inadvertently.
    • Application Cache: Specifically packages apifox/cache/cache_data to steal local API definitions, tokens, and business data.
  4. Covert Exfiltration: All sensitive data is Gzip-compressed and encrypted using AES-256-GCM (with keys derived from apifox/foxapi). It is then exfiltrated via the /event/0/log interface, making it difficult for conventional traffic auditing to detect plaintext leaks.

IOC

apifox.it.com
cdn.openroute.dev
upgrade.feishu.it.com
ns.feishu.it.com
system.toshinkyo.or.jp

AUTOSEC.DEV Solution: Building a 360-Degree Defense

  1. Secure Code Review: To defend against NPM supply chain poisoning, we combine automated static analysis with expert manual review to thoroughly assess your application's source code and third-party dependencies. We identify malicious packages, hidden backdoors, and logic errors introduced by attackers, eliminating security risks at the development stage before they compromise developer environments or production systems.
  2. Security Awareness Training & Phishing Simulation : FAMOUS CHOLLIMA heavily relies on social engineering—such as fake job interviews or fraudulent coding tasks—to trick developers into downloading poisoned NPM packages. We design realistic phishing campaigns and deliver role-based security training to measure and improve developer susceptibility, establishing a strong "human firewall" against targeted social engineering attacks.
  3. End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.