Verify a decision

{"actor":"system:backfill","investigation_id":"8db5fc64-aacd-406c-807b-9fb98cf7530e","kind":"publish","page_slug":"axios-npm-supply-chain-attack-march-2026","published_at":"2026-06-19T23:09:44.721Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Axios npm Supply Chain Attack (March 2026)","sections":[{"content":"Axios is one of the most widely used JavaScript HTTP client libraries, receiving over 100 million weekly downloads and listed as a direct or transitive dependency in more than 174,000 public npm packages. On March 31, 2026, two malicious versions — axios@1.14.1 and axios@0.30.4 — were published to the npm registry using a compromised maintainer account belonging to lead maintainer jasonsaayman. Both versions injected a previously staged malicious dependency, plain-crypto-js@4.2.1, which functioned as a dropper for a cross-platform remote access trojan identified as WAVESHAPER.V2. The compromised packages remained publicly available for approximately two hours and 54 minutes before being removed, during which an unknown but potentially large number of npm install executions could have delivered the payload.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Axios Post-Mortem: axios npm supply chain compromise (GitHub Issue #10636)","type":"official","url":"https://github.com/axios/axios/issues/10636"},{"credibility":2,"name":"Threat Brief: Widespread Impact of the Axios Supply Chain Attack — Unit 42, Palo Alto Networks","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager (April 20, 2026)","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":2,"name":"Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html"}]},{"content":"The root cause of the supply chain compromise was a highly targeted, multi-week social engineering operation against jasonsaayman, the lead maintainer of Axios. Attackers impersonated the founder of a real company and constructed a convincing fake corporate identity, including a professionally branded Slack workspace with channels populated by fake team members sharing content linked to the real company's LinkedIn account, and fabricated profiles for other open-source maintainers to establish credibility. Saayman later described the operation as 'extremely well co-ordinated, looked legit and was done in a professional manner.' During an alleged Microsoft Teams meeting, attackers prompted the maintainer to install a software update, which was in fact the WAVESHAPER RAT. Once the RAT was active on the maintainer's machine, attackers had, in the maintainer's own words, 'full unilateral control of everything,' including the ability to circumvent two-factor authentication protections and access long-lived npm publishing credentials. The attacker subsequently changed the registered email on the npm account to ifstap@proton.me before publishing the malicious releases. A parallel, nearly identical social engineering attempt was reportedly made against another Axios collaborator (voxpelli) weeks earlier, framed as a podcast invitation; that attempt was rebuffed when the target refused to install software.","heading":"Maintainer Account Compromise and Social Engineering","severity":"critical","sources":[{"credibility":1,"name":"Axios Post-Mortem: axios npm supply chain compromise (GitHub Issue #10636)","type":"official","url":"https://github.com/axios/axios/issues/10636"},{"credibility":3,"name":"How North Koreans Hacked Axios via Slack — Sameer Khan","type":"news_article","url":"https://monkfrom.earth/blogs/axios-npm-supply-chain-attack"},{"credibility":2,"name":"UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html"},{"credibility":2,"name":"How critical Axios NPM package got hacked: maintainer shared full story — Cybernews","type":"news_article","url":"https://cybernews.com/security/social-engineering-attack-behind-axios-npm-compromise/"}]},{"content":"The malicious plain-crypto-js@4.2.1 dependency executed a postinstall script that branched into three platform-specific attack paths. On macOS, an AppleScript fetched a C++ Mach-O binary from the attacker's command-and-control (C2) server and deployed it to /Library/Caches/com.apple.act.mond. On Windows, a disguised copy of PowerShell was created and a VBScript payload was fetched and executed; the Windows variant achieves persistence via a Registry Run key and a hidden .bat file. On Linux, a Python RAT script was deployed to /tmp/ld.py and executed via nohup. All three variants beacon to the C2 server every 60 seconds via HTTP POST containing Base64-encoded JSON, spoofing a user-agent string mimicking Internet Explorer 8 on Windows XP. The four supported remote commands are: kill (self-termination), runscript (arbitrary command execution), peinject (in-memory binary payload delivery), and rundir (filesystem enumeration). Installation from postinstall trigger to active RAT takes approximately 15 seconds. The macOS C++ payload exhibits significant technical overlap with WAVESHAPER, a C++ backdoor previously attributed to UNC1069 by Mandiant. C2 infrastructure: domain sfrclak[.]com, IP 142.11.206[.]73, port 8000. The RAT's general-purpose command execution and filesystem access capabilities would allow an operator to exfiltrate any credentials, API keys, cloud tokens, npm publishing tokens, SSH keys, or cryptocurrency wallet seed phrases stored on or accessible from a compromised developer machine.","heading":"Malware Technical Analysis: WAVESHAPER.V2","severity":"critical","sources":[{"credibility":2,"name":"Threat Brief: Widespread Impact of the Axios Supply Chain Attack — Unit 42, Palo Alto Networks","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":2,"name":"Inside the Axios Supply Chain Compromise: One RAT to Rule Them All — Elastic Security Labs","type":"research","url":"https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all"},{"credibility":2,"name":"Compromised axios npm package delivers cross-platform RAT — Datadog Security Labs","type":"research","url":"https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise/"}]},{"content":"Two major threat intelligence organizations independently attributed the Axios supply chain attack to North Korean state-sponsored actors, though using different tracking designations. Microsoft Threat Intelligence publicly attributed the attack on April 1, 2026, to Sapphire Sleet, a North Korean state actor Microsoft has tracked in prior campaigns against cryptocurrency platforms, financial institutions, and technology supply chains. Google Threat Intelligence Group and Mandiant attributed the same attack to UNC1069, a financially motivated North Korea-nexus threat cluster active since at least 2018. The basis for both attributions includes: (1) use of WAVESHAPER.V2, a direct technical evolution of the WAVESHAPER backdoor previously linked exclusively to UNC1069 operations; (2) C2 infrastructure connections originating from a specific AstrillVPN node with documented prior use by UNC1069; and (3) adjacent infrastructure on the same autonomous system number (ASN) historically associated with UNC1069 campaigns. The Cyber Security Agency of Singapore (CSA) also issued an advisory on the incident. UNC1069 is assessed to be financially motivated, with a documented focus on stealing cryptocurrency and targeting organizations in the financial technology sector.","heading":"Threat Actor Attribution","severity":"critical","sources":[{"credibility":1,"name":"Mitigating the Axios npm supply chain compromise — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"},{"credibility":1,"name":"North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package — Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package"},{"credibility":2,"name":"North Korean hackers linked to Axios npm supply chain compromise — Help Net Security","type":"news_article","url":"https://www.helpnetsecurity.com/2026/04/01/north-korean-hackers-linked-to-axios-npm-supply-chain-compromise/"},{"credibility":1,"name":"Advisory on Axios Supply Chain Attack via Compromised npm Account — Cyber Security Agency of Singapore","type":"regulatory","url":"https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2026-002/"},{"credibility":2,"name":"Axios Poisoned: UNC1069's npm Supply Chain Playbook — Cloud Security Alliance","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-unc1069-axios-npm-supply-chain-20260403-cs/"}]},{"content":"Axios is downloaded over 100 million times per week and is a direct or transitive dependency in more than 174,000 public npm packages. Palo Alto Networks Unit 42 assessed that the attack's reach spanned financial services, high technology, higher education, healthcare, and retail sectors across the United States, Europe, the Middle East, South Asia, and Australia. Axios is estimated to be present in approximately 80 percent of cloud and developer environments. The attack window of roughly three hours limits the number of affected installs relative to Axios's total install base, and package lockfiles (package-lock.json, yarn.lock) provided partial protection for projects with pinned versions; however, fresh installs, npx executions, global installations, and some CI/CD jobs that do not respect lockfiles remained exposed. No confirmed count of compromised systems has been publicly released by any government or vendor as of the date of this report.","heading":"Scale and Blast Radius","severity":"high","sources":[{"credibility":2,"name":"Threat Brief: Widespread Impact of the Axios Supply Chain Attack — Unit 42, Palo Alto Networks","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":2,"name":"Axios npm Hijack 2026: Everything You Need to Know — SOCRadar","type":"research","url":"https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/"},{"credibility":3,"name":"183 Million Targets: Inside the North Korean Supply Chain Strike on Axios — Security Online","type":"news_article","url":"https://securityonline.info/axios-supply-chain-attack-waveshaper-v2-unc1069/"}]},{"content":"Although WAVESHAPER.V2 is a general-purpose RAT and does not contain crypto-wallet-specific targeting modules (such as browser extension hooks or seed phrase scrapers), its arbitrary command execution and filesystem enumeration capabilities posed a direct threat to cryptocurrency assets and developer infrastructure. Developer machines that ran the compromised Axios versions may have stored cryptocurrency wallet seed phrases, private keys, exchange API keys, cloud provider credentials, GitHub personal access tokens, npm publishing tokens, CI/CD secrets, SSH keys, and database connection strings — all accessible to an operator via the runscript and rundir commands. UNC1069 is documented by both Mandiant and Microsoft as having a primary financial motivation centered on cryptocurrency theft, consistent with the targeting profile of the attack. No confirmed cases of cryptocurrency theft or credential exfiltration resulting directly from this incident have been publicly disclosed as of the time of this report.","heading":"Cryptocurrency and Developer Credential Risk","severity":"high","sources":[{"credibility":2,"name":"Supply chain attack on Axios could compromise crypto wallets — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/06b75-supply-chain-attack-axios-crypto-wallets"},{"credibility":2,"name":"Axios NPM Package Compromised in Supply Chain Attack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/axios-npm-supply-chain-attack-malicious-dependency"},{"credibility":2,"name":"Malicious Axios npm Packages Trigger Supply Chain Attack: Crypto Wallets and API Keys — CCN","type":"news_article","url":"https://www.ccn.com/education/crypto/axios-npm-supply-chain-attack-crypto-credentials-install-window/"}]},{"content":"CISA issued a formal alert on April 20, 2026, nearly three weeks after initial disclosure, advising organizations to immediately downgrade to axios@1.14.0 or axios@0.30.3, delete node_modules/plain-crypto-js/, review all code repositories and CI/CD pipelines for affected versions, rotate and revoke all potentially exposed credentials (VCS tokens, CI/CD secrets, cloud keys, npm tokens, and SSH keys), block outbound connections to sfrclak[.]com, and implement phishing-resistant MFA for developer accounts. CISA did not assign a CVE number in its alert and did not make an independent threat actor attribution statement. No financial penalties or enforcement actions against npm or any platform have been publicly announced in connection with this incident.","heading":"Regulatory and Government Response","severity":"high","sources":[{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager (April 20, 2026)","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":2,"name":"CISA Warns Axios npm Package Was Compromised in Major Supply Chain Attack — Cybersecurity News","type":"news_article","url":"https://cybersecuritynews.com/cisa-warns-axios-npm-supply-chain/"}]},{"content":"The following indicators of compromise were published by Unit 42, Elastic Security Labs, and CISA in connection with this incident. C2 infrastructure: domain sfrclak[.]com (defanged: sfrclak[.]com), IP address 142.11.206[.]73, TCP port 8000. Affected npm package versions: axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1, plain-crypto-js@4.2.0 (pre-staged, non-malicious but part of the operation). File system artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\\wt.exe (Windows), /tmp/ld.py (Linux). Compromised account email: ifstap@proton.me. Beacon characteristics: HTTP POST every 60 seconds, Base64-encoded JSON body, User-Agent spoofing Internet Explorer 8 on Windows XP ('mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)'). Unit 42 published 23 SHA256 hashes for malware variants in its threat brief.","heading":"Indicators of Compromise (IOCs)","severity":"high","sources":[{"credibility":2,"name":"Threat Brief: Widespread Impact of the Axios Supply Chain Attack — Unit 42, Palo Alto Networks","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":2,"name":"Inside the Axios Supply Chain Compromise: One RAT to Rule Them All — Elastic Security Labs","type":"research","url":"https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all"},{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager (April 20, 2026)","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"}]},{"content":"The attack was detected not by automated npm security systems but by community vigilance: collaborator DigitalBrainJS opened a deprecation PR and contacted npm directly at approximately 01:38 UTC on March 31, 2026. The malicious axios versions were removed from the npm registry at 03:15 UTC; plain-crypto-js was removed at 03:29 UTC. Following the incident, the axios project committed to a set of security improvements documented in the official post-mortem on GitHub: complete device wipes and credential resets across all maintainer accounts; adoption of OIDC-based publishing flows to eliminate long-lived npm access tokens; implementation of immutable release protocols; and GitHub Actions configuration updates aligned with security best practices. CISA, Microsoft, and Unit 42 all issued independent remediation guidance for affected organizations, with consistent recommendations to downgrade, rotate credentials, block C2 infrastructure, and implement npm configuration hardening measures such as setting ignore-scripts=true and min-release-age=7 in .npmrc.","heading":"Remediation and Axios Project Response","severity":"medium","sources":[{"credibility":1,"name":"Axios Post-Mortem: axios npm supply chain compromise (GitHub Issue #10636)","type":"official","url":"https://github.com/axios/axios/issues/10636"},{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager (April 20, 2026)","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":1,"name":"Mitigating the Axios npm supply chain compromise — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"}]}],"sources_used":[{"credibility":1,"name":"CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager (April 20, 2026)","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"credibility":1,"name":"Mitigating the Axios npm supply chain compromise — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"},{"credibility":1,"name":"North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package — Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package"},{"credibility":2,"name":"Threat Brief: Widespread Impact of the Axios Supply Chain Attack — Unit 42, Palo Alto Networks","type":"research","url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"credibility":1,"name":"Axios Post-Mortem: axios npm supply chain compromise (GitHub Issue #10636)","type":"official","url":"https://github.com/axios/axios/issues/10636"},{"credibility":2,"name":"Inside the Axios Supply Chain Compromise: One RAT to Rule Them All — Elastic Security Labs","type":"research","url":"https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all"},{"credibility":2,"name":"Compromised axios npm package delivers cross-platform RAT — Datadog Security Labs","type":"research","url":"https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise/"},{"credibility":1,"name":"Advisory on Axios Supply Chain Attack via Compromised npm Account — Cyber Security Agency of Singapore","type":"regulatory","url":"https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2026-002/"},{"credibility":2,"name":"North Korean hackers linked to Axios npm supply chain compromise — Help Net Security","type":"news_article","url":"https://www.helpnetsecurity.com/2026/04/01/north-korean-hackers-linked-to-axios-npm-supply-chain-compromise/"},{"credibility":2,"name":"Axios Maintainer Confirms The npm Compromise Was via a Targeted Social Engineering Attack — Cybersecurity News","type":"news_article","url":"https://cybersecuritynews.com/axios-maintainer-confirms-the-npm-compromise/"},{"credibility":2,"name":"UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html"},{"credibility":2,"name":"Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html"},{"credibility":2,"name":"Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html"},{"credibility":2,"name":"Supply chain attack on Axios could compromise crypto wallets — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/06b75-supply-chain-attack-axios-crypto-wallets"},{"credibility":2,"name":"Axios NPM Package Compromised in Supply Chain Attack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/axios-npm-supply-chain-attack-malicious-dependency"},{"credibility":2,"name":"Axios Poisoned: UNC1069's npm Supply Chain Playbook — Cloud Security Alliance","type":"research","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-unc1069-axios-npm-supply-chain-20260403-cs/"},{"credibility":3,"name":"How North Koreans Hacked Axios via Slack — Sameer Khan","type":"news_article","url":"https://monkfrom.earth/blogs/axios-npm-supply-chain-attack"},{"credibility":2,"name":"Axios npm Hijack 2026: Everything You Need to Know — SOCRadar","type":"research","url":"https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/"},{"credibility":2,"name":"Supply Chain Compromise of axios npm Package — Huntress","type":"research","url":"https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package"},{"credibility":3,"name":"183 Million Targets: Inside the North Korean Supply Chain Strike on Axios — Security Online","type":"news_article","url":"https://securityonline.info/axios-supply-chain-attack-waveshaper-v2-unc1069/"}],"summary":"On March 31, 2026, two backdoored releases of the Axios JavaScript HTTP client library (versions 1.14.1 and 0.30.4) were published to the npm registry via a compromised maintainer account, injecting a malicious dependency that delivered the WAVESHAPER.V2 cross-platform remote access trojan to macOS, Windows, and Linux systems. The malicious packages were live for approximately three hours before removal; the attack has been attributed to UNC1069 (also tracked as Sapphire Sleet), a North Korean state-sponsored threat actor. CISA issued a formal advisory on April 20, 2026.","timeline":[{"date":"2026-03-30","event":"Plain-crypto-js@4.2.0 (pre-staging, non-malicious) published to npm at 05:57 UTC. Malicious plain-crypto-js@4.2.1 published at 23:59 UTC.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html"},{"date":"2026-03-31","event":"Malicious axios@1.14.1 published to npm at 00:21 UTC; axios@0.30.4 published at approximately 01:00 UTC. Both versions inject plain-crypto-js@4.2.1 to deliver the WAVESHAPER.V2 RAT.","source":"Axios GitHub Post-Mortem (Issue #10636)","source_url":"https://github.com/axios/axios/issues/10636"},{"date":"2026-03-31","event":"Community member and collaborator DigitalBrainJS opens a deprecation PR and contacts npm security directly at approximately 01:38 UTC, initiating takedown.","source":"Axios GitHub Post-Mortem (Issue #10636)","source_url":"https://github.com/axios/axios/issues/10636"},{"date":"2026-03-31","event":"Malicious axios versions removed from npm registry at 03:15 UTC; plain-crypto-js removed at 03:29 UTC. Total attack window: approximately 2 hours 54 minutes.","source":"Axios GitHub Post-Mortem (Issue #10636)","source_url":"https://github.com/axios/axios/issues/10636"},{"date":"2026-04-01","event":"Microsoft Threat Intelligence publicly attributes the compromise to Sapphire Sleet, a North Korean state-sponsored threat actor, and publishes mitigation guidance.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/"},{"date":"2026-04-01","event":"Unit 42 (Palo Alto Networks) publishes initial threat brief with IOCs, malware analysis, and remediation guidance.","source":"Unit 42 — Palo Alto Networks","source_url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"date":"2026-04-01","event":"Axios lead maintainer jasonsaayman publicly confirms the compromise was the result of a targeted multi-week social engineering campaign involving a fake corporate identity and a malicious software installer delivered during an MS Teams meeting.","source":"Cybersecurity News","source_url":"https://cybersecuritynews.com/axios-maintainer-confirms-the-npm-compromise/"},{"date":"2026-04-01","event":"Help Net Security reports North Korean hackers linked to the compromise, citing Google Threat Intelligence and Mandiant attribution to UNC1069.","source":"Help Net Security","source_url":"https://www.helpnetsecurity.com/2026/04/01/north-korean-hackers-linked-to-axios-npm-supply-chain-compromise/"},{"date":"2026-04-09","event":"Unit 42 adds Advanced Threat Prevention detection coverage for the WAVESHAPER.V2 variants.","source":"Unit 42 — Palo Alto Networks","source_url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"date":"2026-04-13","event":"Unit 42 issues clarifications on Windows RAT execution mechanics; Cortex AgentiX coverage added.","source":"Unit 42 — Palo Alto Networks","source_url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"},{"date":"2026-04-20","event":"CISA issues formal advisory alerting organizations to the supply chain compromise, with detailed remediation steps including credential rotation, C2 blocking, and npm hardening guidance.","source":"CISA","source_url":"https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager"},{"date":"2026-05-19","event":"Unit 42 formally closes active threat monitoring for this incident.","source":"Unit 42 — Palo Alto Networks","source_url":"https://unit42.paloaltonetworks.com/axios-supply-chain-attack/"}]},"v":1}