CISA warns that compromised Axios npm releases [email protected] and [email protected] injected the malicious dependency [email protected] into developer environments. The dependency downloads multi-stage payloads from actor-controlled infrastructure, including a remote access trojan, during npm install or npm update activity. The alert directs organizations to review repositories, CI/CD pipelines, artifact caches, and developer machines, downgrade to [email protected] or [email protected], remove plain-crypto-js, and rotate exposed secrets. It also recommends monitoring anomalous child processes and outbound traffic, including connections to Sfrclak[.]com domains, because developer and build-system compromise can expose credentials and propagate across software supply chains.