Supply Chain Compromise Impacts Axios Node Package Manager
Summary
CISA has issued an alert disclosing a supply chain compromise affecting Axios npm versions 1.14.1 and 0.30.4, which injected malicious dependency plain-crypto-js@4.2.1 that downloads a remote access trojan from threat actor infrastructure. The agency is urging all organizations using Axios npm to immediately downgrade to safe versions (axios@1.14.0 or axios@0.30.3), rotate exposed credentials, and implement recommended npm configuration settings. CISA advises monitoring CI/CD pipelines and developer machines for indicators of compromise, blocking connections to Sfrclak[.]com domains, and mandating phishing-resistant MFA on developer accounts.
Development teams and DevOps engineers using Axios npm in automated builds should audit their dependency lock files and artifact caches for axios@1.14.1 and axios@0.30.4 immediately. The two npmrc configuration changes CISA recommends—ignore-scripts=true and min-release-age=7—can be deployed organization-wide as a preventive control; both settings reduce the attack surface of supply chain injections without requiring version-specific remediation. Security teams should also proactively search for any internal tooling that references Sfrclak[.]com domains, as existing C2 connections would indicate active compromise beyond the initial infection window.
What changed
On March 31, 2026, two versions of the Axios npm package—axios@1.14.1 and axios@0.30.4—were compromised with a malicious plain-crypto-js@4.2.1 dependency that downloads multi-stage payloads, including a remote access trojan, from Sfrclak[.]com. CISA's alert provides specific remediation steps: downgrading to safe versions, deleting the malicious dependency, rotating all potentially exposed credentials, and implementing npm configuration hardening (ignore-scripts=true, min-release-age=7).\n\nAny organization that runs npm install or npm update in CI/CD pipelines, developer machines, or build environments using the compromised versions faces potential unauthorized access and credential theft. Organizations must audit all systems that executed the affected Axios versions, conduct EDR hunts for IOCs, and block command-and-control traffic to the identified domains. Developers using Axios npm should also implement phishing-resistant MFA and establish behavioral baselines to detect anomalous dependency behavior.
What to do next
- Downgrade to axios@1.14.0 or axios@0.30.3 and delete node_modules/plain-crypto-js/
- Rotate/revoke credentials that may have been exposed on affected systems or pipelines
- Set ignore-scripts=true in the .npmrc configuration file
- Set min-release-age=7 in the .npmrc configuration file
Archived snapshot
Apr 20, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Alert
Supply Chain Compromise Impacts Axios Node Package Manager
Release Date
April 20, 2026
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm). Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.
On March 31, 2026, two npm packages for versions axios@1.14.1 and axios@0.30.4 of Axios npm injected the malicious dependency plain-crypto-js@4.2.1 that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.
CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise:
Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran
npm installornpm updatewith the compromised Axios version.- Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases. If compromised dependencies are identified, revert the environment to a known safe state.
Downgrade to
axios@1.14.0oraxios@0.30.3and deletenode_modules/plain-crypto-js/.Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run.
Monitor for unexpected child processes and anomalous network behavior, specifically during
npm installornpm update.- Block and monitor outbound connections to
Sfrclak[.]comdomains. - Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2). In addition, CISA recommends organizations using Axios npm:
- Block and monitor outbound connections to
Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms.
Set
ignore-scripts=truein the.npmrcconfiguration file, which prevents potentially malicious scripts from executing during npm install packages.Set
min-release-age=7in the.npmrcconfiguration file to only install packages that have been published for at least seven days, which helps avoid installation of packages that may not be completely vetted or are potentially malicious.Establish and maintain a baseline of normal execution behavior for tools that use Axios.
- Alert when a dependency behaves differently (e.g., building containers, enabling shells, executing commands) and trace outbound network activity for anomalous connections. See the following resources for additional guidance on this compromise:
GitHub: Post Mortem: axios npm supply chain compromise #10636
StepSecurity: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
npm Docs: Securing your code
Socket: Supply Chain Attack on Axios Pulls Malicious Dependency from npm
Disclaimer
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
Notes
1 “Post Mortem: axios npm supply chain compromise,” axios GitHub, Issue #10636, March 31, 2026, https://github.com/axios/axios/issues/10636.
2 “Mitigating the Axios npm supply chain compromise,” Microsoft Threat Intelligence and Microsoft Defender Security Research Team, April 1, 2026, https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts
We recently updated our anonymous product survey; we welcome your feedback.
Mentioned entities
Related changes
Get daily alerts for US CISA Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when US CISA Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.