The axios JavaScript library was compromised on npm with two malicious versions, axios@1.14.1 and axios@0.30.4, which inject a new dependency that acts as a remote access trojan. The malicious versions were published using a compromised npm account, bypassing the project's normal GitHub Actions CI/CD pipeline. The attack was sophisticated, with the malicious dependency pre-staged 18 hours in advance and designed to self-destruct after execution. Users who installed the malicious versions are advised to assume their system is compromised.