Two separate, confirmed supply chain compromises of the npm ecosystem bookend this week’s intelligence: North Korea’s Sapphire Sleet (BlueNoroff) weaponized 140+ packages in the @mastra scope to harvest developer credentials, API keys, SSH keys, and cryptocurrency wallet secrets across Windows, Linux, and macOS; and the Axios npm package (v1.14.1, v0.30.4) was separately compromised via a hijacked maintainer account to deliver a remote access trojan into downstream build pipelines. Both attacks share the same root cause — dormant maintainer accounts without modern MFA — and both target the same high-value downstream asset: CI/CD pipeline access and cloud environment credentials. Organizations whose developer or build environments installed affected package versions should treat all credentials present on those systems as fully compromised.