The Axios npm package — one of the most widely used HTTP client libraries in the JavaScript and Node.js ecosystem — was compromised via a hijacked maintainer account, resulting in two malicious versions (v1.14.1 and v0.30.4) containing an embedded Remote Access Trojan. This supply chain compromise is attributed to DPRK-linked actors operating in parallel with an insider threat campaign and China-nexus espionage targeting software development pipelines. With 572 technology organizations named on extortion leak sites as part of the broader campaign, any organization with Axios in its software supply chain must treat this as an active incident investigation.