A DPRK-attributed threat actor used stolen npm maintainer credentials to publish backdoored versions of Axios (v1.14.1 and v0.30.4) on March 31, 2026, delivering a cross-platform backdoor with JSON-based C2 to any environment that installed either version. The backdoor introduces a rogue dependency (‘plain-crypto-js’) and operates across Windows, macOS, and Linux. Any organization whose CI/CD pipelines or production applications consumed these versions without lockfile integrity enforcement should treat the environment as compromised.