Axios
Published: April 8, 2026
Version: 1.0
Executive Summary
Axios Incident Overview
AvePoint is issuing this security advisory to notify our customers that we are aware of the recent Axios Incident. In this event, attackers managed to compromise a maintainer’s account and subsequently published malicious versions of the Axios package, specifically axios@1.14.1 and axios@0.30.4. These versions included a harmful dependency, plain-crypto-js@4.2.1, which was designed to introduce malicious code into affected systems.
Advisory Details
AvePoint have completed the review and can confirm there is no impact to our products or internal operations.
- The AOS product and core systems do not use the affected versions and therefore are not impacted.
- Internal systems were not impacted.
Out of an abundance of caution, we proactively rotated credentials and remediated internal systems. No customer data, production systems, or services were affected.
Suggested Actions
Security Actions - No additional action is required.
Mitigation Steps - Not needed at this moment.
AvePoint implements best-in-class techniques for identifying, protecting, and detecting cybersecurity threats.
The information security and data privacy of our customers is AvePoint’s highest priority. If you have any questions about this and/or you are contacted by anyone else about this issue, please contact our security team immediately at security@avepoint.com.
For your additional information please find AvePoint’s reporting policy and response plan: https://www.avepoint.com/company/vulnerability-reporting-policy