The axios npm package was compromised in an active supply chain attack discovered on March 31, 2026. Vercel investigated this issue and implemented remediation actions to protect the platform. No Vercel systems were affected. The npm registry removed the compromised package versions, and the latest tag now points to the safe axios@1.14.0 release. We’ve blocked outgoing access from our build infrastructure to the Command & Control hostname sfrclak .com. The malicious version of the package has been blocked and unpublished from npm. Vercel’s own infrastructure and applications have been unaffected. We recommend checking your supply chain for exposure. Link to heading Affected versions Projects using axios@1.14.1 or axios@0.30.4 in their build environments are affected by this vulnerability.…