Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.
Endigest AI Core Summary
The axios npm package was compromised in an active supply chain attack discovered on March 31, 2026, and Vercel has documented remediation steps.
•Affected versions are axios@1.14.1 and axios@0.30.4, which contained malicious code as part of a supply chain attack
•The malicious package installed plain-crypto-js as part of the compromise; searching lockfiles and node_modules for this package identifies affected installations
•Vercel blocked outgoing access from its build infrastructure to the Command & Control hostname sfrclak.com
•The npm registry removed the compromised versions; the latest tag now points to the safe axios@1.14.0
•Remediation steps: search for plain-crypto-js in lockfiles, redeploy projects, and rotate all API keys, database credentials, and tokens present in the build environment
This summary was automatically generated by AI based on the original article and may not be fully accurate.
The Hacker News
Vercel