Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack

Attackers compromised the npm account of Axios' lead maintainer and published malicious versions (axios@1.14.1 and axios@0.30.4) containing a remote access trojan (malware that gives attackers control over infected computers). The attack was detected within minutes and packages were removed within 2-3 hours, but the damage was significant because Axios receives roughly 100 million downloads per week and is used in 80% of cloud and code environments.