Two malicious Axios versions, 1.14.1 and 0.30.4, were published to npm on March 31, 2026 after the lead maintainer's account was compromised. The attacker injected [email protected], which installed a remote access trojan on macOS, Windows, and Linux during a roughly three-hour exposure window. The maintainer attributed initial access to targeted social engineering and RAT malware against the maintainer's PC, enabling theft of npm account credentials and deletion of community reports from the compromised account. Affected users are advised to check lockfiles for the malicious Axios versions or plain-crypto-js, remove the dependency, rotate secrets, and review network logs for sfrclak[.]com or 142.11.206.73 on port 8000. The incident highlights how maintainer account compromise can turn a widely used open source package into a cross-platform supply-chain infection path.