Malicious axios versions 1.14.1 and 0.30.4 were briefly published to npm after likely compromise of a maintainer account, exposing developers and CI/CD systems that installed them during the live publication window. The attacker did not alter Axios source directly; they added [email protected], whose postinstall setup.js dropper used reversed Base64 and XOR obfuscation before contacting sfrclak[.]com:8000 at 142.11.206.73. The dropper selected macOS, Windows, or Linux payloads that installed RAT functionality capable of host fingerprinting, beaconing, shell or script execution, directory enumeration, payload injection, and cleanup of visible installation artifacts. The incident matters because affected build systems and developer machines should be treated as compromised, with lockfiles audited and exposed credentials rotated.