State-sponsored actors (China-nexus and DPRK) compromised the npm registry publishing account for the Axios JavaScript library and published malicious versions v1.14.1 and v0.30.4 containing a remote access trojan. Axios is one of the most widely deployed npm packages globally; any organization with Node.js environments that updated during the exposure window without integrity verification must treat affected build pipelines and production services as compromised. No CVE has been assigned; the attack vector was registry account compromise, not a software vulnerability.