Security Advisory: Axios npm Supply Chain Incident (No Impact to Kore Services)

Update timeline

1. resolved Apr 02, 2026, 06:05 AM UTC

   Dear Users, We would like to inform you about a recently reported supply chain security incident involving the Axios npm package. As per available information, Axios versions 1.14.1 and 0.30.4 were briefly published around March 30–31, 2026. These versions did not follow the standard release process (no corresponding GitHub release artifacts) and were subsequently removed from npm. It has been reported that these versions introduced a dependency on a potentially malicious package. Kore has completed validation across our systems and can confirm that none of our applications use the affected Axios versions (1.14.1 or 0.30.4). There is no impact to our products or services from this incident. We will continue to monitor the situation and take appropriate actions if needed. Thank you for your continued trust and support.