The Cybersecurity and Infrastructure Security Agency (CISA) issued a high-priority alert on April 21, 2026, regarding a critical supply chain compromise involving the Axios npm package. Axios, a widely utilized promise-based HTTP client for node.js and the browser, was found to contain a malicious dependency designed to deliver a sophisticated remote access trojan (RAT) to developer workstations and production servers.
According to the CISA advisory, the compromise originated from a hijacked maintainer account of a secondary dependency used by Axios versions 1.8.4 through 1.8.7. The malicious code, identified as axios-connector-utility, was surreptitiously added to the dependency tree. Once installed via the standard npm install command, the package executes a post-install script that initiates the download of the RAT payload from a remote command-and-control server.
Technical analysis provided by CISA and collaborating cybersecurity firms indicates that the RAT, dubbed AxiosRAT, possesses extensive capabilities. These include file system manipulation, keystroke logging, and the ability to establish persistent reverse shells. Furthermore, the malware includes specialized modules designed to scan local networks for Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) protocols, suggesting a targeted interest in industrial environments.
The scale of the impact is significant. Axios currently averages over 45 million weekly downloads on the npm registry. CISA estimates that approximately 12 million unique IP addresses have downloaded the compromised versions since the malicious update was pushed late last week. Affected services include cloud-native applications, financial transaction processing systems, and internal management consoles for several major technology providers.
CISA has categorized this event as a major supply chain threat. The agency recommends that all organizations utilizing Axios immediately audit their node_modules directories and lockfiles. Developers are urged to upgrade to version 1.8.8, which was released earlier today to remove the malicious dependency. CISA also advises monitoring network traffic for unauthorized connections to the identified command-and-control IP addresses listed in the technical annex of the alert.
Official statements from the npm registry confirmed that the malicious package has been removed and the compromised maintainer account has been suspended. The registry is currently conducting a broader sweep of the ecosystem to ensure no other packages were affected by the same threat actor. No downtime was reported for the npm registry itself, though several continuous integration and delivery pipelines were temporarily halted by enterprise security filters as the threat was identified.