Keboola Security Notice: axios npm Supply Chain Attack (March 31, 2026)

On March 31, 2026, two versions of the widely-used axios npm library (1.14.1 and 0.30.4) were found to contain malicious code planted by a threat actor who compromised the maintainer's account. The affected versions were available on npm for approximately three hours (00:21–03:29 UTC) before being removed.

We investigated immediately and confirmed that Keboola's platform, infrastructure, and customer data were not affected.

Specifically:

• No Keboola CI/CD pipelines referenced the malicious versions — all lockfiles were pinned to safe versions prior to the attack window.
• No Docker images were built during the attack window, meaning no production containers could have pulled the compromised packages.
• All Keboola developer machines were checked. No indicators of compromise were found on any machine.

No customer action is required. If you have questions, contact us at security@keboola.com.