axios npm package versions v1.14.1 and v0.30.4 were confirmed backdoored with an embedded Remote Access Trojan, creating downstream code execution risk across any software project that consumed those versions in its dependency tree. No CVE ID has been assigned to this compromise. Organizations with JavaScript or Node.js development pipelines must audit all repositories and CI/CD environments for dependency on these versions immediately.