On 31 March 2026, an Axios npm package that uses a JavaScript library to enable applications to make HTTP/S requests and is included as a dependency in millions of applications was compromised. Between ~00:21 and ~03:30 UTC, malicious versions (axios@1.14.1 and axios@0.30.4) were published using a compromised maintainer account.
Appian has investigated this vulnerability and affected services, and determined that it is not impacted, as no vulnerable versions of the packages are used in the Appian Cloud environment or any of Appian’s products. We will continue to monitor the situation and provide any updates as appropriate.
This article applies to all supported versions of Appian.
Last reviewed: April 1, 2026