The Axios npm package, downloaded over 100,000 times per week, was backdoored on March 31, 2026 by DPRK-affiliated threat actors using stolen maintainer credentials. Any organization whose build pipelines consumed the trojanized versions during the exposure window may have introduced the ZshBucket cross-platform backdoor into production environments. This is an active, confirmed supply chain compromise requiring immediate audit and containment, not a theoretical risk.