On March 31, 2026, one of the most widely-used JavaScript packages in the world was weaponized against its own users. The axios npm package — downloaded over 100 million times per week and present in approximately 80% of cloud environments — was compromised in a supply chain attack that deployed a cross-platform