An attacker hijacked the npm account of Axios lead maintainer jasonsaayman and published malicious axios versions 1.14.1 and 0.30.4 on March 31, 2026. The poisoned releases added [email protected], whose postinstall script ran during npm install and downloaded a cross-platform RAT for Windows, macOS, or Linux. The campaign used a staged clean package, attacker-controlled ProtonMail accounts, a stolen long-lived npm access token, and direct npm publishing to bypass GitHub Actions, OIDC provenance, code review, and CI security controls. The excerpt lists sfrclak.com, 142.11.206.73, package hashes, platform-specific payload paths, and plain-crypto-js artifacts that defenders can use to scope exposed developer workstations, build servers, and CI/CD runners.