Notice Regarding a Security Issue in a Dependency Package (axios)

Important Notice, SDK

A security issue was identified in axios, which is a dependency of npm packages provided by Kintone.

Conditions That Can Trigger the Installation of Compromised Axios

Environments that performed any of the following actions between approximately 9:21 and 12:15 (JST) on March 31, 2026 may have installed the compromised version of axios.

Package Installation

When the following npm packages were resolved via npm install, npx, or similar commands, the compromised version of axios may have been installed.

  • @kintone/rest-api-client (6.1.3 or earlier)
  • @kintone/create-plugin (9.0.2 or earlier)
  • @kintone/customize-uploader (9.0.2 or earlier)
  • @kintone/dts-gen (9.0.2 or earlier)
  • @kintone/webpack-plugin-kintone-plugin (9.0.1 or earlier)
  • @kintone/cli (v1.19.1 or earlier)
  • @kintone/mcp-server (1.3.9 or earlier)

Command Execution

The following commands may also be affected, even without an explicit package installation, because they internally download a dependency package (rest-api-client) at execution time.

@kintone/cli (cli-kintone)

The plugin init --template typescript command is affected.
This applies to all execution methods, including npx, global installation, and the binary.

1
2
3
4
5

# Execution via npx
npx @kintone/cli plugin init --template typescript

# Execution from a global installation
cli-kintone plugin init --template typescript

@kintone/create-plugin

Execution with the --template modern option is affected.

1
2
3
4
5

# Execution via npx
npx @kintone/create-plugin my-plugin --template modern

# Execution from a global installation
create-kintone-plugin my-plugin --template modern

Use of the Kintone MCP Server

If your MCP client (such as Claude Desktop) is configured to invoke npx @kintone/mcp-server, the package is downloaded when the server starts, so your environment may be affected.

1
2
3
4
5
6
7
8
9

// mcp.json
{
  "mcpServers": {
    "kintone": {
      "command": "npx",
      "args": ["-y", "@kintone/mcp-server"]
    }
  }
}

Mitigation Steps

If you believe your environment may be affected, refer to the official information below and take appropriate action, such as rotating your credentials.

Patch Releases

To prevent future issues, we have released patch updates that specify the version of the axios dependency.

Package Released Version
@kintone/cli (External link) v1.19.2 (External link)
@kintone/mcp-server (External link) 1.3.10 (External link)
@kintone/create-plugin (External link) 9.0.3 (External link)
@kintone/customize-uploader (External link) 9.0.3 (External link)
@kintone/dts-gen (External link) 9.0.3 (External link)
@kintone/rest-api-client (External link) 6.1.4 (External link)
@kintone/webpack-plugin-kintone-plugin (External link) 9.0.2 (External link)