Supply Chain Backdoor in Axios npm Packages & Zero‑Day Exploits in FortiClient EMS Threaten Global Enterprises
What Happened — An unknown threat actor hijacked the GitHub and npm accounts of Axios, the popular JavaScript HTTP client, and published malicious packages that install droppers and remote‑access trojans. In the same week, attackers exploited two Fortinet FortiClient Endpoint Management Server (EMS) vulnerabilities – a previously patched SQL injection (CVE‑2026‑21643) and a new API authentication bypass zero‑day (CVE‑2026‑35616) – to gain unauthorized control of endpoint agents.
Why It Matters for TPRM —
- Supply‑chain compromise of a core developer library can cascade to any downstream SaaS, web, or mobile application that depends on Axios.
- Zero‑day exploits in a widely‑deployed endpoint management solution give adversaries footholds inside corporate networks, bypassing traditional perimeter defenses.
Who Is Affected — Technology & SaaS vendors, financial services, healthcare, retail, and any organization that builds JavaScript applications using Axios or runs FortiClient EMS for endpoint control.
Recommended Actions —
- Immediately audit all codebases for unauthorized Axios versions; revert to known‑good releases and enforce signed package verification.
- Apply FortiClient EMS emergency hot‑fixes (CVE‑2026‑21643, CVE‑2026‑35616) and review API authentication configurations.
- Conduct a supply‑chain risk assessment for third‑party libraries and enforce strict version control policies.
Technical Notes —
- Attack vector: Compromised developer accounts → malicious npm packages (third‑party dependency injection).
- Vulnerabilities: CVE‑2026‑21643 (SQL injection, previously patched) and CVE‑2026‑35616 (API auth‑bypass zero‑day).
- Data types: Potential exfiltration of source code, credentials, and internal network telemetry via installed RATs.
Source: Help Net Security