Axios package compromise: what to know and how to remediate

pawlean · March 31, 2026, 8:00am

We’re sharing an important security update regarding a recent supply chain attack on the axios npm package. While Vercel’s systems remain unaffected, we want to help you ensure your projects are secure.

The compromise affects projects using axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1. We have already blocked outgoing access from our build infrastructure to the known malicious Command & Control hostname to provide immediate protection.

What you should do

Check your dependencies: Look for the affected versions in your lockfiles or node_modules to identify potential exposure.
Update and redeploy: Ensure you are using the safe axios@1.14.0 release and trigger a new deployment.
Rotate secrets: If you used the malicious versions, we recommend rotating any API keys, database credentials, or tokens present in your build environment.

Have you checked your dependencies yet? Let us know if you have any questions about securing your builds below

Topic		Replies	Views
Runtime Error: "Cannot find module 'axios'" despite successful build Help	1	95	November 2, 2025
Vercel auto-upgrading dependencies causing build errors Help	3	193	November 6, 2025
Security alert not dismissing after patched PR was merged and deployed v0 nextjs	1	33	January 12, 2026
Problems with GCP, AXIOS, OIDC and x-vercel-oidc-token Help	2	289	March 2, 2025
Is there a way to make v0 update package.json (for real)? v0	4	316	May 11, 2025

Axios package compromise: what to know and how to remediate

What you should do

Related topics