On March 30, 2026, an attacker who had stolen an axios maintainer's npm publish credentials pushed axios@1.14.1 to the registry. The version looked like a normal patch a single-digit bump from 1.14.0. It was live for roughly three hours before the maintainer rotated credentials and the version was unpublished. Three hours, on a Monday, during peak CI/CD hours across multiple time zones. Any team running pnpm install or npm install against a ^1.14.0 constraint pulled 1.14.1 automatically. ( ^1.14.0 means "any 1.x.y ≥ 1.14.0" most package managers express the same idea: ~= in pip, ^ in Cargo, ~> in Gemfile.) No CVE was published during the window. SAST tools had nothing to flag. axios@1.14.1 added one new transitive dependency (a dependency-of-a-dependency, pulled in indirectly): plain-crypto-js@4.2.1 .…