Active Supply Chain Attack Targeting Axios NPM

CSSF News

Published April 3rd, 2026

Detected April 4th, 2026

Summary

The CSSF issued an urgent advisory on 3 April 2026 regarding a critical supply chain attack targeting two versions of the Axios HTTP client library (1.14.1 and 0.30.4). Threat actors compromised maintainer accounts to inject the malicious dependency plain-crypto-js (version 4.2.1). Supervised entities that performed npm install between 00:21 and 03:25 UTC on March 31, 2026 should assume their systems are compromised. Affected entities must report this major ICT incident under DORA (Circular CSSF 25/893) or Circular CSSF 24/847.

View original document View source feed page

What changed

The CSSF notified supervised entities of an active supply chain compromise affecting Axios NPM versions 1.14.1 and 0.30.4. Threat actors injected the malicious dependency plain-crypto-js (specifically version 4.2.1) through compromised maintainer accounts. Entities that ran npm install during the breach window (00:21-03:25 UTC, March 31, 2026) likely pulled the payload enabling remote code execution, credential theft, and lateral movement.\n\nSupervised entities must immediately: check for Axios usage and isolate affected systems; rotate all credentials (NPM tokens, GitHub tokens, cloud keys, SSH keys, database keys); rebuild from clean state before March 30, 2026; block C2 infrastructure; revert to safe Axios versions; purge NPM cache; and enable MFA. As this constitutes a major ICT-related incident, affected entities must notify the CSSF pursuant to Circular CSSF 25/893 (DORA) or Circular CSSF 24/847. All 16 categories of CSSF-supervised entities are potentially affected.

What to do next

Audit all systems for Axios NPM package usage, checking npm install logs for activity between 00:21-03:25 UTC on March 31, 2026
If compromised versions detected, treat affected systems as fully compromised: isolate immediately, rotate all credentials, and rebuild from clean state prior to March 30, 2026
Submit ICT incident notification to CSSF under Circular CSSF 25/893 (DORA) or Circular CSSF 24/847 as applicable

Source document (simplified)

Published on 3 April 2026 Communiqué

Active supply chain attack targeting Axios NPM

The CSSF has been made aware of a critical supply chain attack targeting two versions of the widely used Axios HTTP client library package. Threat actors compromised maintainer accounts to inject a dependency, plain-crypto-js (specifically version 4.2.1).

As Axios is central to many architectures, a compromise of the build pipeline can result in remote code execution (RCE), credential theft, and lateral movement within the Information System. Users that performed an npm install or updated to the impacted versions of Axios within the compromised window, have likely pulled the malicious payload and should assume their system is compromised.

The CSSF recommends all supervised entities using the Axios package to implement remediation actions including at least the following:

Check if you use the Axios package. If your environment installed the compromised versions of Axios (1.14.1 or 0.30.4) during the breach i.e. if you ran npm install between 00:21 and 03:25 UTC on March 31, 2026, you likely pulled the malicious code. You should treat the affected systems as fully compromised. The malicious dependency isplain-crypto-js (any version, but specifically 4.2.1).
Immediately isolate the affected system.
Rotate all credentials (NPM tokens, GitHub tokens, cloud access keys, SSH keys, database keys, etc.).
Rebuild the system from a known clean (before 30 March 2026).
Block C2 infrastructure.
Revert to a known safe version of Axios.
Purge NPM cache.
Continually monitor for compromise.
Make sure you are hardened for the future e.g. MFA etc. In addition, as this supply chain intrusion involving unauthorised malicious access constitutes a major ICT-related incident, the CSSF reminds all supervised entities that it must be notified. Notifications must be submitted according to either Circular CSSF 25/893 (DORA) or Circular CSSF 24/847, as relevant.