Skip to content

Instantly share code, notes, and snippets.

@marccampbell
Created March 31, 2026 11:16
Show Gist options
  • Select an option

  • Save marccampbell/b8ed4918480028f5e2908aa555a4f616 to your computer and use it in GitHub Desktop.

Select an option

Save marccampbell/b8ed4918480028f5e2908aa555a4f616 to your computer and use it in GitHub Desktop.
🚨 Axios supply chain vuln β€” Replicated repo audit (2026-03-31)

🚨 Axios Supply Chain Vulnerability β€” Replicated Repo Audit

Date: 2026-03-31 Threat: axios@1.14.1 pulls in plain-crypto-js@4.2.1 β€” confirmed malware (supply chain attack) Action: DO NOT upgrade axios. Pin versions. Audit lockfiles.

Affected Repos (replicatedhq + replicatedcom)

Repo File Section Axios Version
replicatedhq/kots web/package.json dependencies ^1.13.5
replicatedhq/kURL-testgrid web/package.json devDependencies ^1.13
replicatedhq/cmx-testgrid package.json dependencies ^1.7.2
replicatedhq/vandoor vendor-web/package.json resolutions ^0.30.3
replicatedhq/replicated-www package.json dependencies ^0.25.0
replicatedhq/k8s-love package.json dependencies ^0.25.0
replicatedhq/action-okteto-test package.json dependencies ^0.25.0

Risk Assessment

Highest risk: Repos with ^1.x ranges β€” these could resolve to 1.14.1 on next npm install:

  • replicatedhq/kots (^1.13.5) ⚠️
  • replicatedhq/kURL-testgrid (^1.13) ⚠️
  • replicatedhq/cmx-testgrid (^1.7.2) ⚠️

Lower risk: Repos pinned to ^0.x ranges β€” semver won't resolve to 1.14.1:

  • replicatedhq/vandoor (^0.30.3)
  • replicatedhq/replicated-www (^0.25.0)
  • replicatedhq/k8s-love (^0.25.0)
  • replicatedhq/action-okteto-test (^0.25.0)

Notes

  • This audit checked package.json files across all 345 repos in replicatedhq and 189 repos in replicatedcom
  • Lockfiles (package-lock.json, yarn.lock) were NOT audited β€” if any lockfile has already resolved to 1.14.1, the compromise may already be present
  • No code changes were made
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment