The Cybersecurity and Infrastructure Security Agency (CISA) issued a high-priority alert on April 21, 2026, detailing a significant supply chain compromise of the Axios npm package. Axios is a ubiquitous JavaScript HTTP client used in both Node.js and browser environments, boasting over 100 million weekly downloads. The agency’s guidance follows the discovery of malicious code injected into the library’s distribution channel, which was used to deliver a cross-platform remote access trojan (RAT) to hundreds of thousands of systems.
According to the CISA alert, the compromise specifically affected two versions of the package: axios@1.14.1 and axios@0.30.4. These versions were published to the npm registry on March 31, 2026, after a threat actor successfully hijacked the account of a lead maintainer. The attacker bypassed the project’s standard GitHub Actions CI/CD pipeline and OIDC Trusted Publisher safeguards by manually publishing the poisoned versions using a stolen npm access token. During the approximately three-hour window the packages were live, an estimated 600,000 installations occurred across developer workstations, build servers, and production environments.
The technical mechanism of the attack involved a phantom dependency titled plain-crypto-js@4.2.1. This malicious dependency was added to the Axios package.json file but was never actually imported into the Axios source code. Upon installation, the dependency executed a postinstall script that deployed multi-stage payloads tailored for Windows, macOS, and Linux. The resulting remote access trojan was designed to harvest sensitive authentication material, including AWS keys, Azure credentials, GitHub personal access tokens, and SSH keys. Forensic analysis indicated the malware also featured self-deletion capabilities to replace its own files with clean decoys after execution, complicating detection efforts.
CISA’s April 21 guidance attributes the infrastructure and execution of the attack to Sapphire Sleet, a North Korean state-sponsored threat actor. The agency emphasized that organizations should assume any system that ran npm install or npm update during the exposure window on March 31 is compromised. CISA recommends that security teams immediately audit their CI/CD pipelines and developer machines for the presence of the affected versions or the plain-crypto-js dependency.
Remediation steps outlined by the agency include downgrading Axios to known safe versions 1.14.0 or 0.30.3 and pinning these versions in package-lock.json files. Furthermore, CISA urged the immediate rotation and revocation of all credentials that may have been exposed, including cloud access keys and version control system tokens. The agency also recommended that organizations mandate phishing-resistant multifactor authentication for all developer accounts and configure corporate npm repositories to prevent the installation of unvetted or newly published packages.