Supply Chain Compromise Impacts Axios Node Package Manager
Contents
Supply Chain Compromise Impacts Axios Node Package Manager
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.
On March 31, 2026, two npm packages for versions [email protected]
and [email protected]
of Axios npm injected the malicious dependency [email protected]
that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.2
CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise:
- Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran
npm install
ornpm update
with the compromised Axios version.- Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases.
If compromised dependencies are identified, revert the environment to a known …
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.
On March 31, 2026, two npm packages for versions [email protected]
and [email protected]
of Axios npm injected the malicious dependency [email protected]
that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.2
CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise:
- Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran
npm install
ornpm update
with the compromised Axios version.- Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases.
If compromised dependencies are identified, revert the environment to a known …
IoC
https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
http://Sfrclak.com
https://github.com/axios/axios/issues/10636
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
http://Sfrclak.com
https://github.com/axios/axios/issues/10636
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]