Vercel/Vercel/Axios package compromise and remediation steps

Axios package compromise and remediation steps

March 31, 2026VercelView original ↗

$npx @buildinternet/releases get rel_x14G8z6INIgfAwo_OWlpR

The axios npm package was compromised in an active supply chain attack discovered on March 31, 2026. Vercel investigated and implemented remediation actions. No Vercel systems were affected.

Affected versions: axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1

Remediation actions:

Blocked outgoing access from build infrastructure to Command & Control hostname
Malicious package versions blocked and unpublished from npm
Latest tag now points to safe axios@1.14.0 release

Recommended actions: Check dependencies and lockfiles, redeploy projects, rotate API keys and credentials, review dependency tree for affected versions.

From other products

[Updated] Mitigating Multiple Security Vulnerabilities in React Server ComponentsDec 5, 2025
[Updated] Mitigating Multiple Security Vulnerabilities in React Server Components Date: DEC 5, 2025 Authors: Phil Pluckthun, Vojtech Novak…
Expo · Expo Changelog
Cloudflare workerdCloudflare
v1.20260511.1May 11, 2026
and 29 others this month

Fetched March 31, 2026

Axios package compromise and remediation steps

More from Vercel

From other products

More from Vercel

From other products