Date: March 31, 2026 Author: Jason Saayman Status: Remediation in progress On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were published to the npm registry through my compromised account. Both versions injected a dependency called [email protected] that installed a remote access trojan on macOS, Windows, and Linux. The malicious versions were live for about 3 hours before being removed. Are you affected? Check your lockfile: grep -E "axios@(1\.14\.1|0\.30\.4)|plain-c...