<span>​​Supply Chain Compromise Impacts Axios Node Package Manager​ </span> <span><span>bjackson</span></span> <span><time datetime="2026-04-20T07:41:29-04:00" title="Monday, April 20, 2026">Apr 20, 2026</time> </span> <div class="c-field c-field--name-field-release-date c-field--type-datetime c-field--label-above"> <div class="c-field__label">Release Date</div><div class="c-field__content"><time datetime="2026-04-20T12:00:00Z">April 20, 2026</time></div></div> <div class="c-field c-field--name-field-description c-field--type-text-long c-field--label-above"> <div class="c-field__label">Description</div><div class="c-field__content"><div class="OutlineElement Ltr SCXW232133708 BCX8"><p>The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).<a href="#note1">¹</a> Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.&nbsp;</p></div><div class="OutlineElement Ltr SCXW232133708 BCX8"><p>On March 31, 2026, two npm packages for versions <code>axios@1.14.1</code> and <code>axios@0.30.4</code> of Axios npm injected the malicious dependency <code>plain-crypto-js@4.2.1</code> that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.<a href="#note2">²</a></p><div class="OutlineElement Ltr SCXW205905216 BCX8"><p>CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise: </p></div><div class="ListContainerWrapper SCXW205905216 BCX8"><ul><li>Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran <code>npm install</code> or <code>npm update</code> with the compromised Axios version. <ul><li>Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases.</li></ul></li></ul><div class="OutlineElement Ltr SCXW94631961 BCX8"><p>If compromised dependencies are identified, revert the environment to a known safe state.&nbsp;</p></div><div class="ListContainerWrapper SCXW94631961 BCX8"><ul><li>Downgrade to <code>axios@1.14.0</code> or <code>axios@0.30.3</code> and delete <code>node_modules/plain-crypto-js/</code>.</li></ul></div><div class="ListContainerWrapper SCXW94631961 BCX8"><ul><li>Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run.</li></ul></div><div class="ListContainerWrapper SCXW94631961 BCX8"><ul><li>Monitor for unexpected child processes and anomalous network behavior, specifically during <code>npm install</code> or <code>npm update</code>. <ul><li>Block and monitor outbound connections to <code>Sfrclak[.]com</code> domains.</li><li>Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2).</li></ul></li></ul><div class="OutlineElement Ltr SCXW237985159 BCX8"><p>In addition, CISA recommends organizations using Axios npm:</p></div><div class="ListContainerWrapper SCXW237985159 BCX8"><ul><li>Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms.</li></ul></div><div class="ListContainerWrapper SCXW237985159 BCX8"><ul><li>Set <code>ignore-scripts=true</code> in the <code>.npmrc</code> configuration file, which prevents potentially malicious scripts from executing during npm install packages.</li></ul></div><div class="ListContainerWrapper SCXW237985159 BCX8"><ul><li>Set <code>min-release-age=7</code> in the <code>.npmrc</code> configuration file to only install packages that have been published for at least seven days, which helps avoid installation of packages that may not be completely vetted or are potentially malicious.</li></ul></div><div class="ListContainerWrapper SCXW237985159 BCX8"><ul><li>Establish and maintain a baseline of normal execution behavior for tools that use Axios. <ul><li>Alert when a dependency behaves differently (e.g., building containers, enabling shells, executing commands) and trace outbound network activity for anomalous connections.</li></ul></li></ul><div class="SCXW13694102 BCX8"><div class="OutlineElement Ltr SCXW13694102 BCX8"><p>See the following resources for additional guidance on this compromise:&nbsp;</p></div><div class="ListContainerWrapper SCXW13694102 BCX8"><ul><li>GitHub: <a href="https://github.com/axios/axios/issues/10636" target="_blank"><u>Post Mortem: axios npm supply chain compromise #10636</u></a></li></ul></div></div><div class="SCXW13694102 BCX8"><div class="ListContainerWrapper SCXW13694102 BCX8"><ul><li>Microsoft: <a href="https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/" target="_blank"><u>Mitigating the Axios npm supply chain compromise</u></a></li></ul></div><div class="ListContainerWrapper SCXW13694102 BCX8"><ul><li>StepSecurity: <a href="https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan" target="_blank"><u>axios Compromised on npm - Malicious Versions Drop Remote Access Trojan</u></a></li></ul></div><div class="ListContainerWrapper SCXW13694102 BCX8"><ul><li>npm Docs: <a href="https://docs.npmjs.com/packages-and-modules/securing-your-code" target="_blank"><u>Securing your code</u></a></li></ul></div><div class="ListContainerWrapper SCXW13694102 BCX8"><ul><li>Socket: <a href="https://socket.dev/blog/axios-npm-package-compromised" target="_blank"><u>Supply Chain Attack on Axios Pulls Malicious Dependency from npm</u></a></li></ul><h2><strong>Disclaimer</strong></h2><p>The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.</p><h2><strong>Notes</strong></h2><p><a class="ck-anchor" id="note1"></a>¹ “Post Mortem: axios npm supply chain compromise,” axios GitHub, Issue #10636, March 31, 2026, <a href="https://github.com/axios/axios/issues/10636" target="_blank">https://github.com/axios/axios/issues/10636</a>.</p><p><a class="ck-anchor" id="note2"></a>² “Mitigating the Axios npm supply chain compromise,” Microsoft Threat Intelligence and Microsoft Defender Security Research Team, April 1, 2026, <a href="https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/" target="_blank">https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/</a>.</p></div></div></div></div></div></div></div></div> <div class="c-field c-field--name-field-advisory-type c-field--type-entity-reference c-field--label-above"> <div class="c-field__label">Advisory Type</div><div class="c-field__content">Alert</div></div> <div class="c-field c-field--name-field-key-takeaways-toggle c-field--type-boolean c-field--label-above"> <div class="c-field__label">Show 'Key Takeaways' block</div><div class="c-field__content">Off</div></div>