CSSF — Axios compromised (31/03/2026): EDR/XDR to detect and notify under DORA

Excerpt. On 3 April 2026, the CSSF warned about the supply‑chain attack against the npm package “Axios” and reminded entities of their major ICT incident notification duty under CSSF Circular 25/893 (DORA). Here is how an EDR/XDR stack helps detect, contain, and notify on time.

What happened

On 31 March 2026, two versions of Axios — a JavaScript library used by millions of apps — were compromised on npm (versions 1.14.1 and 0.30.4) after a maintainer account was taken over. The malicious package introduced a cross‑platform RAT via a dependency “plain‑crypto‑js” (notably v4.2.1). Public analyses indicate the distribution window occurred on 31/03/2026; Microsoft summarised IOCs and mitigations, while BleepingComputer detailed the RAT injection mechanism and toxic dependencies.

• Microsoft analysis and mitigations (01/04/2026): Microsoft Security Blog.
• Security coverage (31/03/2026): BleepingComputer.

On 3 April 2026, the CSSF issued a notice on this incident and explicitly reminded supervised entities that such a supply‑chain compromise qualifies as a “major ICT‑related incident” to be notified via eDesk under CSSF Circular 25/893 (DORA entities) or CSSF Circular 24/847 as applicable. It listed immediate actions (isolation, secret rotation, rebuild from clean, C2 blocking, npm cache purge) and the time scope of installations to treat as compromised (installation between 00:21 and 03:25 UTC on 31/03). Official source: CSSF — Active supply chain attack targeting Axios NPM.

The applicable legal framework

The duty to notify a major ICT‑related incident in Luxembourg is defined by:

• CSSF Circular 25/893 (27/05/2025) — rules for classification and notification of major incidents and significant cyber threats under DORA (Regulation (EU) 2022/2554). It also extends the DORA framework to PSPs not covered by DORA to avoid dual regimes. References: CSSF page and circular PDF.
• DORA — Chapter III: Articles 17 (ICT incident management process), 18 (classification), 19 (notification of major incidents and voluntary threat reporting), 20 (harmonised templates), 21–23 (centralisation/supervisory feedback and payments cases). Consolidated text: EUR‑Lex.

In practice, the CSSF expects entities to:

• maintain a documented process to detect, qualify (DORA Art. 18 criteria) and notify using harmonised forms (Arts. 19–20),
• control timelines and completeness of required content (impact, critical services, measures, IOCs),
• evidence traceability (logs, chronology, decisions, escalations to the management body),
• and apply CSSF recommendations specific to the incident (e.g., Axios) and to sound remediation practices.

The technical solution: EDR/XDR to detect, qualify and evidence

Why EDR/XDR: in a supply‑chain attack, the entry point is “legitimate” (a package update). What becomes visible is the post‑install behaviour: script execution, persistence creation, C2 connections, exfiltration. An EDR/XDR stack correlates these signals across endpoints, servers, cloud workloads and, depending on the solution, network and identities.

How it works in practice:

• Detection: telemetry and behavioural analytics rules (npm postinstall execution, abnormal key access, calls to known IOCs/domains — see Microsoft IOCs). Source
• Investigation: unified timeline (process tree), hashes, sockets, users, added packages. Log retention for forensics and proof of due care.
• Response: host network isolation, kill process, persistence removal, forced secret rotation, app rollback (rebuild from a clean golden image) — all required by CSSF recommendations for the Axios incident. CSSF
• DORA qualification: dashboards mapped to Art. 18 criteria (affected critical services, duration, impacted users, spread, exfiltration) to decide if the incident meets the “major” threshold and to trigger notification.
• Traceability: timestamped export of events and response actions to feed eDesk templates (Arts. 19–20) and justify proportionality (DORA Arts. 5–11 on risk management).

Standards: this approach aligns with ISO/IEC 27001 Annex A (A.5.7, A.5.23, A.5.24, A.8.16), NIST CSF 2.0 (DE, RS, RC) and CIS Controls v8 (12 — Network Monitoring & Defense, 13 — Data Protection, 17 — Incident Response).

How Luxgap delivers it

• Our managed SOC: we integrate your EDR/XDR (or deploy one) and build DORA playbooks: detect npm/postinstall patterns, auto‑enrich with Threat Intel, 1‑click containment, and generate a timeline ready for eDesk (Circular 25/893). 24/7 monitoring and major‑incident on‑call. Explore our managed SOC.
• Our ISO 27001 governance: our Lead Implementers shape the incident process (DORA Art. 17): classification (Art. 18), RACI, “major” thresholds, notification templates (Arts. 19–20), and integration with crisis comms and the management body.
• Our outsourced DPO and CISO: coordinate GDPR if personal data is affected (Arts. 33–34 GDPR), sync notifications (CSSF/national CSIRT/data protection authorities) and manage evidence. Need an outsourced CISO to steer remediation?

Real‑world case in Luxembourg or the EU

A DORA‑regulated PSP faced indirect exposure in April 2026 via a CI/CD chain using npm. In six weeks:

1. Deployed an XDR across 2,800 endpoints and servers, with rules dedicated to npm/postinstall hooks.
2. Built a DORA runbook in the SIEM: automatic collection of required metadata (affected services, volumes, users) and assembly of the eDesk draft.
3. Ran a multi‑authority notification and escalation tabletop, with legal validation of the “major incident” criteria.

Outcome: detection within minutes of suspicious post‑install executions on a set of build servers, automated containment, initial notification to the CSSF within Circular 25/893 timelines, and a final report documenting IOCs and remediations (rebuild, secret rotation) aligned with the circular.

Getting started

1. Assess your Axios exposure: inventory installed versions and npm install timestamps — if installed between 00:21 and 03:25 UTC on 31/03/2026, treat the system as compromised. Follow the CSSF action list. CSSF source
2. Enable EDR/XDR telemetry on endpoints/servers/CI: collect process, script, network, registry/autoruns, and retain 30–90 days for forensics.
3. Map your “major incident” thresholds to DORA templates (Arts. 18–20) and configure a SOC alert that automatically opens a “DORA 25/893” case.
4. Write a CSSF notification playbook: who qualifies, who signs, which eDesk fields, which evidence to extract (logs, screenshots, decisions), and how to sync with GDPR (Arts. 33–34) if applicable.
5. Test via a “supply‑chain” crisis exercise: inject known Microsoft IOCs and measure your time‑to‑detect/time‑to‑notify. If you are starting with DORA in Luxembourg, also see our DORA Luxembourg (CSSF) page.

Official sources

• CSSF — Active supply chain attack targeting Axios NPM (03/04/2026)
• CSSF — Circular 25/893 (DORA incident/threat reporting) | PDF
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA), Articles 17–20
• Microsoft Security Blog — Mitigating the Axios npm supply chain compromise (01/04/2026)
• BleepingComputer — Hackers compromise Axios npm package (31/03/2026)

Contact us to assess your exposure and accelerate DORA/CSSF compliance.