A confirmed supply chain compromise of the Axios npm package, one of the most widely consumed JavaScript HTTP client libraries, delivered an embedded remote access trojan to downstream consumers via a hijacked maintainer account publishing malicious package versions. There is no CVE ID; the incident is tracked via GitHub issue axios/axios#10636. Any organization consuming Axios in production build pipelines without integrity verification or lock-file pinning is potentially exposed to RAT installation on build agents, CI/CD runners, and dependent application environments.