The most INSANE attack in JavaScript history?

The Axios JavaScript library, installed over 300 million times per week, was compromised in a supply chain attack. An attacker hijacked a lead maintainer's npm account, changed the email address, and published two malicious versions. Rather than injecting malicious code directly, the attacker added a dependency that ran a postinstall script installing a Remote Access Trojan on victim machines. The attack bypassed CI/CD pipelines entirely. Given Axios installs at ~500 times per second, even a short exposure window could have compromised a significant number of machines. The attack was caught relatively quickly but highlights the danger of supply chain vulnerabilities in widely-used open source packages.