CISA Warns of Major Supply Chain Attack on Axios Package Compromised

A critical alert concerning a severe software supply chain compromise has been issued by the Cybersecurity and Infrastructure Security Agency (CISA).

The attack targets Axios, a massively popular HTTP client for JavaScript that developers worldwide rely on for Node.js and browser environments.

Supply chain attacks have become a top priority for security teams, as compromising a single popular package can instantly affect thousands of downstream organizations.

According to the April 20, 2026 advisory, threat actors successfully compromised the Axios node package manager (npm) ecosystem on March 31, 2026.

The attackers injected a malicious dependency into specific software updates.

Deployment of Remote Access Trojan

When developers install these affected updates, the dependency silently downloads multi-stage payloads from the attackers’ infrastructure, ultimately deploying a remote access trojan (RAT) on the victim’s machine.

Once installed, this remote access trojan grants cybercriminals backdoor access to sensitive development environments.

This allows threat actors to steal source code, manipulate applications, exfiltrate data, or pivot deeper into internal corporate networks.

Security researchers from Microsoft and GitHub have been tracking the incident closely, noting that the malicious code specifically targets versions 1.14.1 and 0.30.4 of Axios.

The attackers used an injected dependency, [email protected], to execute these malicious downloads.

CISA strongly urges all organizations to review their code repositories, developer machines, and CI/CD pipelines immediately.

If your team has run npm install or npm update with the compromised versions, you should take the following actions to secure your environment:

• Revert your development environment to a known safe state if any compromised dependencies are discovered.
• Downgrade your Axios installations to the verified safe versions: [email protected] or [email protected].
• Manually locate and delete the node_modules/plain-crypto-js/ directory from all active projects.
• Rotate and revoke all exposed credentials, including cloud keys, npm tokens, SSH keys, and CI/CD secrets.
• Block all outbound network connections to the attacker command and control (C2) domain at Sfrclak[.]com.
• Monitor endpoints for unexpected child processes and anomalous network behavior, particularly during routine npm installations.

Long-Term Prevention Strategies

To prevent future supply chain compromises, CISA and independent security firms like Socket and StepSecurity recommend tightening overall npm security hygiene.

Organizations should establish a baseline of normal execution behavior for all tools utilizing Axios.

Developers and security teams should implement the following proactive measures:

• Require phishing-resistant multifactor authentication (MFA) across all developer accounts and critical deployment platforms.
• Modify the .npmrc configuration file to include ignore-scripts=true, which stops potentially malicious scripts from running automatically when a package is installed.
• Add min-release-age=7 to the .npmrc file to ensure only packages that have been publicly vetted for at least seven
  days are permitted to install.
• Set up automated alerts to detect when dependencies behave unusually, such as suddenly building containers, enabling remote shells, or executing unexpected system commands.

Organizations are encouraged to conduct continuous threat hunting using endpoint detection and response (EDR) tools to ensure no lingering indicators of compromise remain active on their networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.