Axios JavaScript supply-chain attack

‍

Summary
Unit 42 reported widespread impact from a supply-chain attack on Axios after an npm maintainer account was hijacked and malicious versions were released. Because Axios is deeply embedded across web stacks, downstream trust assumptions amplified the blast radius.

Technical details
The malicious updates were identified as Axios v1.14.1 and v0.30.4. Unit 42 published attacker infrastructure and said the article was updated again on April 9 to add additional product coverage, which suggests the defensive picture continued to evolve after first publication.

CVE number
None cited in the Unit 42 report.

CVSS score / severity
No CVSS cited; operational severity is high because the compromise affected a heavily trusted dependency in software build and application environments.

Affected software / vendor
Axios JavaScript library; affected downstream applications and build environments that consumed the poisoned releases.

Exploit status
Active compromise / malicious package distribution.

Indicators of compromise
Unit 42 listed 142.11.206[.]73, sfrclak[.]com, callnrwise[.]com, and URLs under hxxp://sfrclak[.]com:8000.

Mitigation or patch information
Remove or replace malicious Axios versions, audit dependency trees, scan build pipelines, validate package integrity, and review outbound connections for the published domains and IP.

Security tools related to detection, mitigation, or analysis
Software composition analysis, SBOM tooling, CI/CD integrity monitoring, EDR on build workers, outbound DNS/proxy monitoring, and supply-chain scanning. Unit 42 also referenced Advanced WildFire and Advanced Threat Prevention coverage updates.

Why the event matters in the current threat landscape
This is another reminder that software trust chains are now a frontline target. Dependency compromise can bypass perimeter assumptions and land directly inside enterprise development and production workflows.

Sources
Unit 42 threat brief, published April 1, 2026; updated April 9, 2026.

‍

‍

‍