CISA Warns of Axios npm Package Supply Chain Attack
Key Takeaways A critical software supply chain attack compromised specific versions of the popular Axios JavaScript HTTP client. Threat actors injected a malicious dependency, [email protected],...
Key Takeaways
- A critical software supply chain attack compromised specific versions of the popular Axios JavaScript HTTP client.
- Threat actors injected a malicious dependency,
[email protected], into Axios versions 1.14.1 and 0.30.4. - The attack deploys a remote access trojan (RAT) on developers’ machines, granting attackers backdoor access to sensitive environments.
- CISA issued an urgent alert, advising immediate action for organizations that used the compromised versions and recommending long-term prevention strategies.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a significant software supply chain compromise affecting Axios, a widely used JavaScript HTTP client. This incident highlights the escalating threat of supply chain attacks, where a single compromised package can ripple through thousands of downstream organizations globally.
Table Of Content
According to an advisory released on April 20, 2026, malicious actors successfully infiltrated the Axios Node Package Manager (npm) ecosystem on March 31, 2026. During this compromise, attackers introduced a harmful dependency into specific software updates for the Axios package.
Remote Access Trojan Deployment
When developers install the affected Axios updates, the injected dependency surreptitiously downloads multi-stage payloads from attacker-controlled infrastructure. This process ultimately leads to the deployment of a remote access trojan (RAT) onto the victim’s development machine.
Once established, this RAT provides cybercriminals with backdoor access to critical development environments. Such access enables threat actors to steal sensitive source code, manipulate applications, exfiltrate proprietary data, or pivot deeper into internal corporate networks, posing severe risks to intellectual property and operational integrity.
Security researchers from Microsoft and GitHub have been actively monitoring the incident. Their investigations confirmed that the malicious code specifically targets Axios versions 1.14.1 and 0.30.4. The attackers leveraged an injected dependency, identified as [email protected], to facilitate these malicious downloads and subsequent RAT deployment.
What You Should Do
CISA strongly advises all organizations to immediately review their code repositories, developer machines, and CI/CD pipelines for any signs of compromise. If your team has executed npm install or npm update with the affected Axios versions, the following actions are crucial to secure your environment:
- Revert your development environment to a known safe state if any compromised dependencies are discovered.
- Downgrade your Axios installations to the verified safe versions:
[email protected]or[email protected]. - Manually locate and delete the
node_modules/plain-crypto-js/directory from all active projects. - Rotate and revoke all exposed credentials, including cloud keys, npm tokens, SSH keys, and CI/CD secrets.
- Block all outbound network connections to the attacker’s command and control (C2) domain at
Sfrclak[.]com. - Monitor endpoints for unexpected child processes and anomalous network behavior, especially during routine npm installations.
Long-Term Prevention Strategies
To bolster defenses against future supply chain compromises, CISA, alongside independent security firms like Socket and StepSecurity, recommends strengthening overall npm security hygiene. Organizations should establish a baseline of normal execution behavior for all tools that utilize Axios.
Developers and security teams should implement the following proactive measures:
- Require phishing-resistant multifactor authentication (MFA) across all developer accounts and critical deployment platforms.
- Modify the
.npmrcconfiguration file to includeignore-scripts=true, which prevents potentially malicious scripts from running automatically during package installation. - Add
min-release-age=7to the.npmrcfile to ensure that only packages publicly vetted for at least seven days are permitted to install. - Set up automated alerts to detect unusual dependency behavior, such as sudden container builds, remote shell enablement, or unexpected system command execution.
Organizations are also encouraged to conduct continuous threat hunting using endpoint detection and response (EDR) tools to ensure no lingering indicators of compromise remain active on their networks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.