Axios package compromise and remediation steps. The axios npm package was compromised in an active supply chain attack discovered on March 31, 2026.

Vercel is a platform for deploying modern web applications with speed and simplicity, offering developers a seamless experience for hosting and scaling their projects. With features like instant deployment, serverless functions, and global CDN, Vercel empowers developers to focus on building great user experiences without worrying about infrastructure management.

Vercel

The axios npm package was compromised in a supply chain attack discovered on March 31, 2026. Affected versions are axios@1.14.1 and axios@0.30.4, which contained malicious code communicating with a command-and-control server. Vercel blocked outbound access to the C2 hostname and the malicious versions have been unpublished from npm. The safe version is axios@1.14.0. Developers should search lockfiles and node_modules for plain-crypto-js, redeploy projects, rotate all secrets present in build environments, and update dependencies to axios@1.14.0.