April 01, 2026
Successful supply chain attack against Axios npm packages
On 31. In March 2026, two compromised versions of the widely used JavaScript library Axios (v1.14.1 and v0.30.4) were briefly distributed via the npm package manager. The packages contained malicious code that could have compromised potentially affected developer machines and build servers.
Our developers analyzed the situation immediately. According to the current status, there is no need for action for INOSOFT projects and customer systems under our responsibility. The infected packets have already been removed by npm; secure versions (v1.14.0 or v0.30.3) are available.
For customers who operate their own CI/CD pipelines with Axios dependence, we recommend checking the versions used. We are happy to answer any questions you may have.