On March 31, 2026, malicious versions of the Axios npm package (1.14.1 and 0.30.4) were published as part of a supply chain attack. These versions included a hidden dependency (plain-crypto-js@4.2.1) that connected to attacker-controlled C2 infrastructure. Azure Pipelines itself was not compromised, but pipelines using self-hosted agents, custom tasks, third-party extensions, or containerized environments may have been exposed. Recommended actions include reviewing pipeline logs for the affected versions, rotating credentials used by affected runs, reimaging self-hosted agents, clearing dependency caches, and treating artifacts from compromised runs as untrusted. Best practices to reduce future risk include pinning dependency versions, using lockfiles with deterministic installs (npm ci), and limiting secret scope in pipelines.
Table of contents
Impact on Azure Pipelines Copy linkIf Your Pipelines Include Custom Scripts, Extensions, Self-Hosted Agents, or Containers, We Recommend the Following Actions Copy linkWhat to do now Copy linkWhat to review in your pipelines Copy linkBest Practices to Reduce Future Supply Chain Risk in Azure Pipelines Copy linkHow to reduce future supply chain risk Copy linkLearn More Copy linkHow to verify whether you were affected Copy linkSort: