DPRK-affiliated threat actor STARDUST CHOLLIMA compromised the Axios npm package — one of the most widely consumed JavaScript libraries at approximately 100 million weekly downloads — injecting a remote access trojan into versions v1.14.1 and v0.30.4. Any organization whose software build pipeline consumed either version during the compromise window should treat their build infrastructure and all artifacts produced during that window as potentially compromised. No CVE ID has been assigned at time of publication.