SECURITY ADVISORY — March 31, 2026
On March 31st, 2026, the npm maintainer account for axios, one of the most widely used JavaScript HTTP libraries with over 80 million weekly downloads, was compromised. Two malicious versions were published and set as the default install targets. Any system that ran a fresh npm install of axios today may have executed a backdoor that downloads and runs a remote payload, then self-deletes to avoid detection.
Affected Versions
| Status | Version |
| COMPROMISED | axios 1.14.1 |
| COMPROMISED | axios 0.30.4 |
| SAFE | axios 1.14.0 and all prior legitimate releases |
What to Do Right Now
- Check your lockfiles for either affected version or any reference to the package
plain-crypto-js. If found, treat that system as potentially compromised. - Rotate credentials on any system where the compromised version was installed.
- Search your network logs for outbound connections to
sfrclak.com. - Block
sfrclak.comat your perimeter now regardless. Any outbound traffic to that domain today is a serious indicator.
PacketViper Impact
We audited our own codebase. PacketViper does not use axios. There is no risk to your PacketViper deployment from this vulnerability.