The npm package was compromised in an discovered on March 31, 2026. Vercel investigated this issue and implemented remediation actions to protect the platform. No Vercel systems were affected.axiosactive supply chain attack The npm registry removed the compromised package versions, and the latest tag now points to the safe release.axios@1.14.0 Projects using or in their build environments are affected by this vulnerability.axios@1.14.1axios@0.30.4 If your deployments used the malicious package version listed above in your build environment, take the following actions: Read more We’ve blocked outgoing access from our build infrastructure to the Command & Control hostname .com.sfrclak The malicious version of the package has been blocked and unpublished from npm.

Vercel’s own infrastructure and applications have been unaffected. We recommend checking your supply chain for exposure. Check your dependencies and lockfiles for: axios@1.14.1 axios@0.30.4 plain-crypto-js@4.2.1 Search your lockfiles and for to identify compromised installationsnode_modulesplain-crypto-js Redeploy your project to ensure your build uses a clean version of axios Rotate API keys, database credentials, tokens…