Skip to content

fix: pin axios to v1.14.0 — supply chain attack mitigation [CRITICAL]#19

Open
apetre-ionos wants to merge 1 commit intomasterfrom
fix/axios-supply-chain-vulnerability
Open

fix: pin axios to v1.14.0 — supply chain attack mitigation [CRITICAL]#19
apetre-ionos wants to merge 1 commit intomasterfrom
fix/axios-supply-chain-vulnerability

Conversation

@apetre-ionos
Copy link
Copy Markdown

@apetre-ionos apetre-ionos commented Apr 1, 2026

Summary

  • CRITICAL: Pin axios dependency from ^1.7 to exact 1.14.0 to mitigate the supply chain attack discovered on March 30-31, 2026
  • The previous caret range ^1.7 directly includes the compromised v1.14.1
  • Compromised versions deploy a RAT via malicious postinstall hook (C2 at sfrclak[.]com:8000)
  • Any npm install that ran between March 30-31 with this range may have pulled the malicious version

Immediate actions required

  • Check CI/CD logs for any npm install runs between March 30-31, 2026
  • Check network logs for connections to sfrclak[.]com:8000
  • Check for IOCs: macOS /Library/Caches/com.apple.act.mond, Linux /tmp/ld.py, Windows %PROGRAMDATA%\wt.exe

Test plan

  • Verify npm install completes without errors
  • Run existing test suite to confirm no breaking changes
  • Verify lockfile contains exactly axios@1.14.0

References

@apetre-ionos
fix: pin axios to v1.14.0 to mitigate supply chain attack
5d9cb04 
Axios v1.14.1 and v0.30.4 were compromised in a supply chain attack
on March 30-31, 2026. Pin to exact v1.14.0 (last safe version) to
prevent resolution to malicious versions.

CRITICAL: Previous range ^1.7 included compromised v1.14.1.

Ref: https://socket.dev/blog/axios-npm-package-compromised
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@apetre-ionos