A malicious Axios 1.14.1 release introduced the trojanized [email protected] dependency, making exposure broader than projects that explicitly listed Axios. The report shows how semver ranges, fresh installs, npx execution, CI tooling, developer CLIs, MCP servers, and SDKs could dynamically resolve the compromised version during the exposure window. Lockfiles reduced risk only when installs were deterministic and already resolved; they did not protect new dependency resolution or transient tool execution. The key operational lesson is that short-lived npm compromises can leave little current evidence after removal, requiring teams to reconstruct whether any workflow resolved the malicious dependency at the time.