Date: April 2, 2026
Background
A critical software supply chain compromise was identified involving the widely used JavaScript HTTP client Axios. Threat actors gained unauthorized access to a primary maintainer’s npm account and published malicious versions of the package to the npm registry, impacting users globally.
Cumulocity Status: NOT AFFECTED
Our Response
-
A comprehensive review of our codebase and Software Bill of Materials (SBOM) confirmed that none of our components used the compromised versions..
-
Forensic analysis of our pipeline environments and developer environments found no evidence of the malicious packages.
-
Endpoint Detection and Response (EDR) systems reported no suspicious activity, including anomalous outbound network connections related to this attack.
Conclusion
Cumulocity artifacts remain secure, and both production and development environments are unaffected. No action is required from customers. We remain committed to maintaining the highest standards of security. We will continue to monitor the situation and update our security protocols as necessary to defend against evolving supply chain threats.
Reference: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity