"The affected versions - 1.14.1 and 0.30.4 - included a hidden malicious dependency that executed during installation and connected to attacker-controlled command-and-control (C2) infrastructure to retrieve a second-stage payload."
"Customers who use Microsoft-hosted agents and run only Microsoft-authored built-in tasks are not affected by any compromise of the Azure Pipelines platform or hosted agent infrastructure as a result of this npm ecosystem attack."
"If a pipeline run installed one of the malicious Axios versions, code executed during package installation, and any credentials or secrets available to that affected job should be treated as potentially exposed."
On March 31, 2026, malicious versions of the Axios library were published to npm, containing hidden dependencies that connected to attacker-controlled infrastructure. Modern CI/CD workflows may have exposed environments if they installed these versions. Azure Pipelines is not compromised, especially for users of Microsoft-hosted agents running built-in tasks. However, any pipeline that installed the malicious versions should consider credentials and secrets potentially exposed during the installation process.
Read at Azure DevOps Blog
Unable to calculate read time
Collection
[
|
...
]