CISA has issued an alert after attackers compromised two versions of the widely-used Axios npm package on March 31, 2026, injecting a malicious dependency that downloads a remote access trojan — urging developers and organizations to downgrade, rotate credentials, and audit any pipelines that ran the affected versions.