DPRK-linked threat actors compromised the axios npm package by publishing two malicious versions (v1.14.1 and v0.30.4) containing an embedded Remote Access Trojan, affecting a package with approximately 100 million weekly downloads. No CVE has been assigned; the attack maps to supply chain compromise (T1195.002) and affects any organization whose development pipelines or production applications resolved either malicious version. Independent analysis from StepSecurity, Huntress, and Phoenix Security has published IOCs for the RAT payload.