​​Supply Chain Compromise Impacts Axios Node Package Manager​

div class="OutlineElement Ltr SCXW232133708 BCX8" p The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm). a href="#note1" sup 1 /sup /a Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments. nbsp; /p /div div class="OutlineElement Ltr SCXW232133708 BCX8" p On March 31, 2026, two npm packages for versions code [email protected] /code and code [email protected] /code of Axios npm injected the malicious dependency code [email protected] /code that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan. a href="#note2" sup 2 /sup /a /p div class="OutlineElement Ltr SCXW205905216 BCX8" p CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise: /p /div div class="ListContainerWrapper SCXW205905216 BCX8" ul li Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran code npm install /code or code npm update /code with the compromised Axios version. ul li Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases. /li /ul /li /ul div class="OutlineElement Ltr SCXW94631961 BCX8" p If compromised dependencies are identified, revert the environment to a known safe state. nbsp; /p /div div class="ListContainerWrapper SCXW94631961 BCX8" ul li Downgrade to code [email protected] /code or code [email protected] /code and delete code node_modules/plain-crypto-js/ /code . /li /ul /div div class="ListContainerWrapper SCXW94631961 BCX8" ul li Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run. /li /ul /div div class="ListContainerWrapper SCXW94631961 BCX8" ul li Monitor for unexpected child processes and anomalous network behavior, specifically during code npm install /code or code npm update /code . ul li Block and monitor outbound connections to code Sfrclak[.]com /code domains. /li li Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2). /li /ul /li /ul div class="OutlineElement Ltr SCXW237985159 BCX8" p In addition, CISA recommends organizations using Axios npm: /p /div div class="ListContainerWrapper SCXW237985159 BCX8" ul li Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms. /li /ul /div div class="ListContainerWrapper SCXW237985159 BCX8" ul li Set code ignore-scripts