CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a serious software supply chain attack targeting the widely used Axios npm package.

Axios is a popular JavaScript library used by developers to handle HTTP requests in both Node.js and browser environments, making this compromise particularly dangerous due to its widespread adoption.

According to CISA, the breach occurred on March 31, 2026, when attackers successfully injected malicious code into two Axios versions: 1.14.1 and 0.30.4.

Developers who updated to these versions unknowingly installed a hidden dependency called plain-crypto-js version 4.2.1, which acts as a stealthy malware loader.

This malicious package connects to attacker-controlled infrastructure and downloads additional payloads.

The primary payload identified is a remote access trojan (RAT), which enables attackers to gain persistent access to compromised systems.

Once inside, threat actors can steal sensitive data, including source code, environment variables, API keys, and credentials.

The impact of this attack is significant, especially for development environments. If a developer machine is infected, attackers can move laterally into corporate networks, potentially compromising CI/CD pipelines and production systems.

This makes the incident not just a developer risk but a broader enterprise security threat.

CISA has strongly urged organizations to take immediate action. Security teams should review recent npm activity and identify systems that may have installed the affected Axios versions.

If a compromise is suspected, organizations should downgrade to a safe version, such as Axios 1.14.0 or 0.30.3.

Additionally, teams must locate and remove the malicious directory node_modules/plain-crypto-js/ from all affected projects.

It is also critical to revoke and rotate any potentially exposed credentials, including cloud access keys, npm tokens, SSH keys, and CI/CD secrets.

Network monitoring is another key step. Organizations should monitor outbound connections to the known malicious domain Sfrclak[.]com and conduct endpoint detection and response (EDR) investigations to identify any ongoing command-and-control activity.

Beyond immediate remediation, this incident highlights the growing risk of software supply chain attacks.

Threat actors increasingly exploit trusted package ecosystems to distribute malware at scale. To reduce future risk, organizations should strengthen their npm security configurations.

CISA recommends setting ignore-scripts=true in the .npmrc file to block automatic execution of package scripts.

Another important control is min-release-age=7, which prevents installation of newly published packages that may not yet be verified.

Organizations should also enforce phishing-resistant multi-factor authentication across developer accounts and establish behavioral baselines for build systems.

Monitoring for unusual processes or unexpected external connections can help detect attacks early.

This Axios compromise serves as a critical reminder that even trusted open-source components can become attack vectors, making proactive security controls essential for modern software development.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack appeared first on Cyber Security News.