Axios package compromise and remediation steps
Mirrored from Vercel — AI for archival readability. Support the source by reading on the original site.
The axios npm package was compromised in an active supply chain attack discovered on March 31, 2026. Vercel investigated this issue and implemented remediation actions to protect the platform. No Vercel systems were affected.
The npm registry removed the compromised package versions, and the latest tag now points to the safe [email protected] release.
We’ve blocked outgoing access from our build infrastructure to the Command & Control hostname
sfrclak.com.The malicious version of the package has been blocked and unpublished from npm.
Vercel’s own infrastructure and applications have been unaffected. We recommend checking your supply chain for exposure.
Affected versions
Projects using [email protected] or [email protected] in their build environments are affected by this vulnerability.
Check your dependencies and lockfiles for:
Resolution
If your deployments used the malicious package version listed above in your build environment, take the following actions:
Search your lockfiles and
node_modulesforplain-crypto-jsto identify compromised installationsRedeploy your project to ensure your build uses a clean version of
axiosRotate API keys, database credentials, tokens, and any other sensitive values present in your build environment
Review your dependency tree for references to
[email protected]or[email protected]and update them to[email protected]
Discussion (0)
Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.
Sign in →No comments yet. Sign in and be the first to say something.