[MS] Axios npm Supply Chain Compromise – Guidance for Azure Pipelines Customers - devamazonaws.blogspot.com
On March 31, 2026 , malicious versions of the widely used JavaScript HTTP client library Axios were briefly published to the npm registry as part of a supply chain attack. The affected versions — 1.14.1 and 0.30.4 — included a hidden malicious dependency that executed during installation and connected to attacker-controlled command-and-control (C2) infrastructure to retrieve a second-stage payload. Because modern development workflows frequently rely on automated dependency resolution during CI/CD builds, environments such as developer workstations and build agents—including those used in Azure Pipelines—may have been exposed if they resolved the compromised versions during installation or update. For a detailed technical analysis of the attack and recommended mitigations, please refer to the Microsoft Security Blog: Mitigating the Axios npm Supply Chain Compromise on the Microsoft Security Blog. Impact on Azure Pipelines This incident does not represent a compromise of Azure...