The npm ecosystem faces a dual threat: a confirmed supply chain compromise of the Axios package (versions v1.7.2 through v1.8.3 contain a Remote Access Trojan distributed to environments consuming approximately 100 million downloads per week), and an AI-accelerated campaign pattern that shrinks the window between malicious publication and detection to 48-72 hours. Any organization building or shipping software that consumes npm packages — directly or transitively — is exposed, and the self-spreading Mini Shai-Hulud attack variant targeting TanStack demonstrates that passive consumption is no longer the only risk vector.