Executive Summary
A security bulletin was issued following the discovery of a supply chain attack on the popular `axios` npm package on March 31, 2026. Malicious code was found in versions `1.14.1` and `0.30.4`, which introduced a harmful `plain-crypto-js` dependency. Vercel confirmed its own platform was unaffected and took steps to block the attack, while advising developers to immediately update their dependencies, redeploy projects, and rotate any exposed credentials.
Key Takeaways
* Vulnerability: A supply chain attack compromised the `axios` npm package.
* Affected Versions: `axios@1.14.1` and `axios@0.30.4` are malicious. The safe, corrected version is `axios@1.14.0`.
* Malicious Payload: The compromised versions included a malicious dependency called `plain-crypto-js@4.2.1`.
* Vercel Platform Status: Vercel systems were not affected, and the company has blocked the malicious command-and-control domain (`sfrclak .com`) from its build infrastructure.
* Required User Actions: Users must check their projects for the affected versions, update to the safe version, redeploy their applications, and rotate all sensitive credentials (API keys, tokens, etc.) that were present in the build environment.
Strategic Importance
This incident highlights the critical risk of supply chain attacks in modern software development, underscoring the need for platforms to provide rapid response and clear security guidance to protect users.