Malicious versions of the Axios npm package (v1.14.1 and v0.30.4), a package with approximately 100 million weekly downloads, delivered a Remote Access Trojan to downstream consumers via compromised package versions. Concurrently, 570GB of private source code was exfiltrated from an unnamed software development company across 28,000 projects. China-nexus espionage actors account for more than 58% of state-sponsored targeted intrusions against the technology sector in the April 2025-March 2026 reporting period, while DPRK-affiliated actors continue fraudulent employment and supply chain poisoning operations.