HomeSubject Matter AreasCybersecurity
CybersecurityInfrastructure SecurityCybersecurity and Infrastructure Security Agency

Supply Chain Compromise Impacts Axios Node Package Manager​, CISA Alert Warns

Homeland Security Today
By Homeland Security Today
April 21, 2026

The Cybersecurity and Infrastructure Security Agency (CISA) has released an alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.

On March 31, 2026, two npm packages for versions [email protected] and [email protected] of Axios npm injected the malicious dependency [email protected] that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.2

CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise:

  • Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran npm install or npm update with the compromised Axios version.
    • Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases.

If compromised dependencies are identified, revert the environment to a known safe state.

  • Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run.
  • Monitor for unexpected child processes and anomalous network behavior, specifically during npm install or npm update.
    • Block and monitor outbound connections to Sfrclak[.]com domains.
    • Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2).

In addition, CISA recommends organizations using Axios npm:

  • Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms.
  • Set ignore-scripts=true in the .npmrc configuration file, which prevents potentially malicious scripts from executing during npm install packages.
  • Set min-release-age=7 in the .npmrc configuration file to only install packages that have been published for at least seven days, which helps avoid installation of packages that may not be completely vetted or are potentially malicious.
  • Establish and maintain a baseline of normal execution behavior for tools that use Axios.
    • Alert when a dependency behaves differently (e.g., building containers, enabling shells, executing commands) and trace outbound network activity for anomalous connections.

The original announcement can be found here.

Previous article
Chad Gorman Takes on Director Role Leading DHS and TSA Relations at CLEAR
Next article
OT-ISAC Advisory Exposes Critical Flaws Across Industrial Control and Management Systems

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

Latest Articles

Load more