The Axios npm maintainer account was compromised and two trojanized versions — v1.14.1 (stable) and v0.30.4 (legacy) — were published within a 39-minute window, delivering a cross-platform Remote Access Trojan through three intermediate malicious packages (plain-crypto-js v4.2.1, @shadanai/openclaw, @qqbrowser/openclaw-qbot v0.0.130) across Windows, macOS, and Linux Node.js environments. The RAT actively deletes forensic artifacts post-execution, meaning absence of visible indicators does not confirm a clean system; any environment that pulled either version during the exposure window should be treated as fully compromised. Immediate actions are auditing all Node.js pipelines for the affected versions, isolating implicated hosts, rotating all secrets accessible from those environments, and pinning axios to v1.13.x or v0.29.x pending verification against the official Axios npm registry advisory and GitHub issue #10604. No CVE has been assigned as of this report date.