Status: Appfarm is NOT affected
On March 30, a widely used open-source component called axios was compromised on npm, the JavaScript package registry. An attacker hijacked a maintainer account and published malicious versions that installed hidden malware on developers’ machines. The compromised versions were live for approximately 2–3 hours before being removed.
Appfarm is not affected.
We have supply chain security controls in place that prevent newly published package versions from entering our platform automatically. New versions must pass through a stabilisation period before they are eligible for use — by which time malicious packages can be detected and removed, as happened here.
This type of attack targets organisations that pull in new dependency versions without delay or review. Our age-gating policy is specifically designed to protect against this class of threat.
No action is required from Appfarm customers or partners.
Reference: