A confirmed supply chain compromise of the axios npm package (versions 1.14.1 and v0.30.4) delivered a Remote Access Trojan via a hijacked maintainer account, affecting any CI/CD pipeline or application that consumed these versions without lockfile integrity enforcement. No CVE has been assigned to this incident. China-nexus and DPRK-affiliated threat actors are operating broadly against the technology sector this period, with this supply chain compromise representing the highest-priority containment action of the week.