The popular JavaScript HTTP client library Axios was compromised in a supply chain attack, impacting approximately 80% of cloud and code environments. The attacker exploited the npm access token of Axios's lead maintainer to publish two malicious versions, axios@1.14.1 and axios@0.3.4, which contained a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux systems. These malicious packages were removed from the npm registry within three hours. Security firm Wiz reports that Axios is downloaded over 100 million times weekly, highlighting the widespread impact of the breach. Huntress, another security firm, detected the first infections just 89 seconds after the malicious packages were published, confirming at least 135 compromised systems. Despite Axios's implementation of modern security measures like OIDC trusted publishing and SLSA provenance, the attacker bypassed these protections by exploiting a traditional, long-lived NPM_TOKEN, which npm defaults to when both OIDC and the token are present.