CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack

Home Cyber Security News CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack The Cybersecurity and Infrastructure Security Agency (CISA) has released a critical alert regarding a severe software supply chain compromise. The attack targets Axios, a massively popular HTTP client for JavaScript that developers worldwide rely on for Node.js and browser environments. Supply chain attacks have become a top priority for security teams, as compromising a single popular package can instantly affect thousands of downstream organizations. According to the April 20, 2026 advisory, threat actors successfully compromised the Axios node package manager (npm) ecosystem on March 31, 2026. The attackers injected a malicious dependency into specific software updates. Deployment of Remote Access Trojan When developers install these affected updates, the dependency silently downloads multi-stage payloads from the attackers’ infrastructure, ultimately deploying a remote access trojan (RAT) on the victim’s machine. Once installed, this remote access trojan grants cybercriminals backdoor access to sensitive development environments. This allows threat actors to steal source code, manipulate applications, exfiltrate data, or pivot deeper into internal corporate networks. Security researchers from Microsoft and GitHub have been tracking the incident closely, noting that the malicious code specifically targets versions 1.14.1 and 0.30.4 of Axios. The attackers used an injected dependency, plain-crypto-js@4.2.1, to execute these malicious downloads. CISA strongly urges all organizations to review their code repositories, developer machines, and CI/CD pipelines immediately. If your team has run npm install or npm update with the compromised versions, you should take the following actions to secure your environment: Revert your development environment to a known safe state if any compromised dependencies are discovered. Downgrade your Axios installations to the verified safe versions: axios@1.14.0 or axios@0.30.3. Manually locate and delete the node_modules/plain-crypto-js/ directory from all active projects. Rotate and revoke all exposed credentials, including cloud keys, npm tokens, SSH keys, and CI/CD secrets. Block all outbound network connections to the attacker command and control (C2) domain at Sfrclak[.]com. Monitor endpoints for unexpected child processes and anomalous network behavior, particularly during routine npm installations. Long-Term Prevention Strategies To prevent future supply chain compromises, CISA and independent security firms like Socket and StepSecurity recommend tightening overall npm security hygiene. Organizations should establish a baseline of normal execution behavior for all tools utilizing Axios. Developers and security teams should implement the following proactive measures: Require phishing-resistant multifactor authentication (MFA) across all developer accounts and critical deployment platforms. Modify the .npmrc configuration file to include ignore-scripts=true, which stops potentially malicious scripts from running automatically when a package is installed. Add min-release-age=7 to the .npmrc file to ensure only packages that have been publicly vetted for at least seven days are permitted to install. Set up automated alerts to detect when dependencies behave unusually, such as suddenly building containers, enabling remote shells, or executing unexpected system commands. Organizations are encouraged to conduct continuous threat hunting using endpoint detection and response (EDR) tools to ensure no lingering indicators of compromise remain active on their networks. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security Claude Code, Gemini CLI, and GitHub Copilot Vulnerable to Prompt Injection via GitHub Comments Cyber Security News SideWinder Uses Fake Chrome PDF Viewer and Zimbra Clone to Steal Government Webmail Credentials Cyber Security PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026