HackWatch
! High riskBR Breach

Supply Chain Compromise Hits Axios NPM Package: What Developers and Organizations Must Do

Breach coverage centered on exposed data, scope clarification and immediate containment priorities.

Potential exposure event. Confirm scope, identify affected accounts or records and move quickly on resets, notifications and monitoring.
Supply Chain Compromise Hits Axios NPM Package: What Developers and Organizations Must Do - HackWatch breach alert image
HackWatch breach alert image for: Supply Chain Compromise Hits Axios NPM Package: What Developers and Organizations Must Do
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 20, 2026

Updated: May 01, 2026

Incident status: Mitigation available

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure relevance, source consistency and whether the remediation advice would make sense to an administrator responsible for live routers and servers. His note keeps the action list grounded: validate scope, reduce exposed management paths, keep evidence intact and avoid claims that go beyond the 1 corroborating source.

Review our editorial policy or send corrections to [email protected].

Mitigation available. Mitigation guidance or a workaround is available, but defenders should still verify rollout status and exposure.

In March 2026, the Axios npm package was compromised with a malicious dependency that installed a remote access trojan, impacting countless Node.js projects worldwide.

What happened

On March 31, 2026, it was discovered that two versions of the popular Axios npm package—[email protected] and [email protected]—were compromised by a malicious dependency named `[email protected]`. This dependency was injected into the package supply chain and was designed to download and execute multi-stage payloads, including a remote access trojan (RAT), from attacker-controlled infrastructure. Axios is widely used as an HTTP client in JavaScript environments, both server-side (Node.js) and browsers, making this compromise a significant threat to a broad swath of software projects.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on April 20, 2026, providing detailed guidance on detection, remediation, and prevention of this supply chain attack. The malicious payload was linked to domains such as `Sfrclak[.]com`, which facilitated command and control (C2) communications.

Confirmed facts

  • The compromised Axios versions are `[email protected]` and `[email protected]`.
  • The malicious dependency `[email protected]` was injected into these versions.
  • The payload included a remote access trojan capable of multi-stage downloads.
  • The attack infrastructure communicated with domains like `Sfrclak[.]com`.
  • The compromise was publicly disclosed by Axios maintainers and corroborated by Microsoft Threat Intelligence and CISA.
  • The attack vector primarily targeted developers running `npm install` or `npm update` with the affected Axios versions.
  • CISA recommends downgrading to the last known safe versions: `[email protected]` or `[email protected]`.

Who is affected

  • Developers and organizations using Axios versions 1.14.1 or 0.30.4 in their projects.
  • CI/CD pipelines and build environments that automatically fetch dependencies without pinning versions.
  • Artifact repositories and dependency caches that may have stored the malicious packages.
  • Systems with exposed credentials such as version control tokens, cloud keys, or SSH keys that could be harvested by the trojan.

Given Axios's popularity, thousands of open-source and enterprise projects globally are potentially impacted. Any environment that installed or updated Axios to the compromised versions between March 31 and April 20, 2026, is at risk.

What to do now

  1. Identify and audit all environments where `npm install` or `npm update` commands were run with Axios versions 1.14.1 or 0.30.4.
  2. Search artifact repositories and dependency caches for the malicious `[email protected]` package.
  3. Revert to safe Axios versions by downgrading to `[email protected]` or `[email protected]`.
  4. Delete the malicious dependency folder: remove `node_modules/plain-crypto-js/` from all affected projects.
  5. Rotate and revoke all potentially exposed credentials, including VCS tokens, CI/CD secrets, cloud API keys, npm tokens, and SSH keys.
  6. Monitor network traffic for suspicious outbound connections, especially to `Sfrclak[.]com` and related domains.
  7. Conduct endpoint detection and response (EDR) hunts to identify indicators of compromise (IOCs) and ensure no persistent threats remain.
  8. Implement continuous monitoring for anomalous child processes or unexpected execution behaviors during package installs.

How to secure yourself

  • Pin dependency versions in `package.json` and lockfiles to known safe releases to prevent accidental upgrades to malicious versions.
  • Set `ignore-scripts=true` in your `.npmrc` file to prevent execution of lifecycle scripts during package installation, which can be exploited by attackers.
  • Configure `min-release-age=7` in `.npmrc` to only install packages that have been published for at least seven days, allowing time for vetting.
  • Enforce phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical infrastructure such as npm registries, CI/CD platforms, and version control systems.
  • Establish a baseline of normal tool behavior and alert on deviations such as unexpected shell executions or network connections.
  • Regularly audit and rotate secrets to limit exposure in case of compromise.

FAQ

How do I know if my project is affected by the Axios compromise?

Check if your project or build environment installed or updated Axios versions 1.14.1 or 0.30.4 between March 31 and April 20, 2026. Review your `package.json`, `package-lock.json`, and CI/CD logs for these versions.

What immediate steps should developers take if they used the compromised Axios versions?

Downgrade Axios to version 1.14.0 or 0.30.3, remove the `plain-crypto-js` dependency, rotate all credentials, and scan for unusual network activity or processes.

Can the malicious dependency execute on browser environments?

The primary risk is in Node.js environments where npm installs occur. Browser environments typically do not execute npm lifecycle scripts, but caution is advised.

How can I prevent future supply chain compromises?

Use strict version pinning, enable `ignore-scripts` in npm, enforce MFA, vet packages before installation, and monitor for anomalous behavior.

What does setting `ignore-scripts=true` do?

It prevents npm from running lifecycle scripts during package installation, which are often exploited by attackers to execute malicious code.

Are there any known indicators of compromise (IOCs) to look for?

Yes, connections to domains like `Sfrclak[.]com`, presence of `[email protected]` in `node_modules`, and unexpected child processes during npm installs.

Should I trust Axios packages published after April 20, 2026?

Only if you verify the package integrity and version. Use official sources and consider waiting for at least seven days after publication before installing.

How does this incident impact open-source software security?

It highlights the critical need for supply chain security, dependency management, and proactive threat detection in open-source ecosystems.

Why this matters

Supply chain attacks like the Axios npm compromise pose severe risks because they exploit the trust developers place in widely used dependencies. A single malicious package can cascade into thousands of projects, potentially exposing sensitive data, credentials, and infrastructure to attackers. This incident demonstrates how attackers leverage trusted software to infiltrate development pipelines and emphasizes the urgency of adopting robust security practices around dependency management.

For organizations, failure to respond promptly can lead to data breaches, intellectual property theft, and operational disruptions. For developers, awareness and vigilance are essential to safeguard the software supply chain that underpins modern applications.

Sources and corroboration

This article is based on official alerts and guidance from the Cybersecurity and Infrastructure Security Agency (CISA) dated April 20, 2026, corroborated by Axios GitHub disclosures and Microsoft Threat Intelligence reports. Additional analysis from npm documentation and security researchers further validate the scope and impact of the compromise.

  • CISA Alert: https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager
  • Axios GitHub Issue #10636: https://github.com/axios/axios/issues/10636
  • Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-axios-npm-supply-chain-compromise
  • npm Docs: https://docs.npmjs.com/cli/v9/configuring-npm/npmrc

---

Stay vigilant and ensure your development environments are secured against supply chain threats by following the actionable steps outlined in this article.

Sources used for this article

cisa.gov

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Supply Chain Compromise Hits Axios NPM Package: What Developers and Organizations Must Do".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks