Home > IT Services > Network and Data > Cybersecurity > Apifox External JavaScript File Supply Chain Poisoning Risk Alert
Apifox External JavaScript File Supply Chain Poisoning Risk Alert

Recently, it has been detected that the Apifox desktop client has suffered a supply chain poisoning attack (affecting all platforms: Windows/macOS/Linux), with its dynamically loaded external JavaScript files maliciously tampered with. Devices that used the Apifox desktop client between March 4, 2026, and March 22, 2026, are at risk of sensitive information leakage, host takeover, and exploitation for lateral attacks.

Ⅰ. Risk Details

Product and Framework: Apifox is an all-in-one API collaboration platform. Its desktop client is developed based on the Electron framework and supports Windows, macOS, and Linux.

Vulnerability Cause: The attacker compromised Apifox’s infrastructure to deliver malicious JavaScript files. The Apifox client did not strictly enable the sandbox parameter and exposed Node.js API interfaces, allowing attackers to control user endpoints via JavaScript.

Attack Characteristics: Malicious C2 domain apifox.it.com (hosted on Cloudflare, attack window: 18 days). Confirmed malicious behaviors include theft of locally stored highly sensitive files.

 

Ⅱ. Risk Impact

Theft of host sensitive information: SSH keys, Git credentials, shell command history, known_hosts server lists, system processes, local filenames, etc.

Execution of backdoor programs to gain control of the host.

Use of compromised hosts as springboards to launch lateral penetration attacks within the internal network.

 

Ⅲ. Affected Scope

All users who used the Apifox desktop client between March 4, 2026, and March 22, 2026, across Windows/macOS/Linux platforms.

The web version and privately deployed version are not affected in this incident.

 

Ⅳ. Detection Methods

Windows users run the following command in PowerShell:

Select-String -Path "$env:APPDATA\apifox\Local Storage\leveldb\*" -Pattern "rl_mc","rl_headers" -List | Select-Object Path

MacOS users run the following command in the terminal:

grep -arlE "rl_mc|rl_headers" ~/Library/Application\ Support/apifox/Local\ Storage/leveldb

 

If the above commands return specific file paths, the host has been successfully compromised. Note that false negatives may occur as the scanned files are cache files. If you used the Apifox desktop client within the 19-day exposure window, there is a high probability of compromise.

 

Ⅴ. Response and Remediation Recommendations

1. Upgrade the Client Immediately 

Update to Apifox 2.8.21 or later as soon as possible.

 

2. Full Replacement of Sensitive Credentials

Endpoint devices that ran Apifox within the exposure window must immediately check and replace sensitive credentials, including but not limited to Git keys, authentication keys, database passwords, cloud service Access Keys, environment variables, and others.

 

3. Full-System Antivirus Scan

This attack supports remote Trojan delivery. Install the latest antivirus software to perform a full-system scan. If antivirus software was already installed during the attack, clear the trusted zone/whitelist before scanning.

 

4. Block Malicious Domain Locally

Modify the system hosts file and add the entry:127.0.0.1 apifox.it.com

 

5. Network-Level Blocking of Malicious Domain

Disable resolution of apifox.it.com to block access.

 

6. Security Verification

Perform log auditing, process termination, and malicious file scanning on affected devices to eliminate residual backdoors.

 

 

Ⅵ. External References

https://docs.apifox.com/8392582m0

https://rce.moe/2026/03/25/apifox-supply-chain-attack-analysis

 

If there are any questions, please feel free to contact the Information Technology and Data Intelligence Department at <gzit@hkust-gz.edu.cn>. 

 

Information Technology and Data Intelligence Department (ITDID)

March 30, 2026

Return list next